diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..6a6a158 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,15 @@ +--- +use_default_rules: true +parseable: true +quiet: true +verbosity: 1 + +# State that naming for now should be a warning +# 106: ansible role name does not conform to pattern [a-z][a-z0-9_]+$ +warn_list: + - '106' + +# This is for false positives +# 504: Do not use 'local_action', use 'delegate_to: localhost' +skip_list: + - '504' \ No newline at end of file diff --git a/.github/playbooks/aio-wazuh.yml b/.github/playbooks/aio-wazuh.yml new file mode 100644 index 0000000..d9f7e0d --- /dev/null +++ b/.github/playbooks/aio-wazuh.yml @@ -0,0 +1,68 @@ +- name: Generate certificates prior to converging + hosts: localhost + become: true + become_user: root + roles: + # 1. Check packages + - role: ../../roles/wazuh/check-packages + become: no + delegate_to: localhost + run_once: true + # 2. Generate certificates + - role: ../../roles/wazuh/wazuh-indexer + vars: + generate_certs: true + perform_installation: false + instances: + node1: + name: wazuh-es01 # Important: must be equal to indexer_node_name. + ip: "127.0.0.1" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer + node3: + name: wazuh-mgr01 + ip: "127.0.0.1" + role: wazuh + node5: + name: wazuh-dash01 + ip: "127.0.0.1" + role: dashboard + pre_tasks: + - name: overview of cert configuration + debug: + var: wazuh_endpoint_list + +- name: Converge + hosts: localhost + become: true + become_user: root + roles: + # 1. Wazuh indexer + - role: ../../roles/wazuh/wazuh-indexer + vars: + indexer_node_name: "wazuh-es01" + single_node: true + # 2. Managers + - role: ../../roles/wazuh/ansible-wazuh-manager + - role: ../../roles/wazuh/ansible-filebeat-oss + vars: + filebeat_node_name: "wazuh-mgr01" + filebeat_output_indexer_hosts: + - "localhost:9200" + # 3. Wazuh dashboard + - role: ../../roles/wazuh/wazuh-dashboard + vars: + dashboard_node_name: "wazuh-dash01" + vars: + instances: + node1: + name: wazuh-es01 # Important: must be equal to indexer_node_name. + ip: "127.0.0.1" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer + node3: + name: wazuh-mgr01 + ip: "127.0.0.1" + role: wazuh + node5: + name: wazuh-dash01 + ip: "127.0.0.1" + role: dashboard \ No newline at end of file diff --git a/.github/playbooks/single-wazuh.yml b/.github/playbooks/single-wazuh.yml new file mode 100644 index 0000000..164b19a --- /dev/null +++ b/.github/playbooks/single-wazuh.yml @@ -0,0 +1,37 @@ +--- +- name: ConvergeCerts + hosts: localhost + roles: + - role: ../../roles/wazuh/check-packages + become: no + delegate_to: localhost + run_once: true + - role: ../../roles/wazuh/wazuh-indexer + perform_installation: false + vars: + instances: + node1: + name: node-1 # Important: must be equal to indexer_node_name. + ip: 127.0.0.1 + role: indexer + tags: + - generate-certs +- name: ConvergeInstall + hosts: localhost + roles: + # Managers + - role: ../../roles/wazuh/ansible-wazuh-manager + vars: + - role: ../../roles/wazuh/ansible-filebeat-oss + vars: + filebeat_output_indexer_hosts: + - "indexer_centos7:9200" + pre_tasks: + - name: (converge) fix missing packages in cloud images + apt: + name: + - unzip + - gpg-agent + state: present + update_cache: yes + when: ansible_distribution == "Ubuntu" \ No newline at end of file diff --git a/.github/workflows/al_aio.yml b/.github/workflows/al_aio.yml new file mode 100644 index 0000000..cd12130 --- /dev/null +++ b/.github/workflows/al_aio.yml @@ -0,0 +1,67 @@ +--- +name: AIO-AL-Single-Instance +on: [pull_request, workflow_dispatch, release] +jobs: + start-runner: + name: Start self-hosted EC2 runner + runs-on: ubuntu-latest + outputs: + label: ${{ steps.start-ec2-runner.outputs.label }} + ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Start EC2 runner + id: start-ec2-runner + uses: machulav/ec2-github-runner@v2 + with: + mode: start + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + ec2-image-id: ${{ secrets.AL2_AMI_ID }} + ec2-instance-type: t3a.large + subnet-id: ${{ secrets.SUBNET_ID }} + security-group-id: ${{ secrets.SG_ID }} + aws-resource-tags: > # optional, requires additional permissions + [ + {"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"}, + {"Key": "GitHubRepository", "Value": "${{ github.repository }}"}, + {"Key": "team", "Value": "CICD"}, + {"Key": "termination_date", "Value": "2022-12-31 21:00:00"} + ] + install-aio-single-instance: + name: Installs AIO single instance + needs: start-runner # required to start the main job when the runner is ready + runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + - name: Ansible Playbook run Wazuh AIO Single instance + run: ansible-playbook ./.github/playbooks/aio-wazuh.yml + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + stop-runner: + name: Stop self-hosted EC2 runner + needs: + - start-runner # required to get output from the start-runner job + - install-aio-single-instance # required to wait when the main job is done + runs-on: ubuntu-latest + if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Stop EC2 runner + uses: machulav/ec2-github-runner@v2 + with: + mode: stop + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + label: ${{ needs.start-runner.outputs.label }} + ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }} \ No newline at end of file diff --git a/.github/workflows/al_wazuh.yml b/.github/workflows/al_wazuh.yml new file mode 100644 index 0000000..8200e86 --- /dev/null +++ b/.github/workflows/al_wazuh.yml @@ -0,0 +1,67 @@ +--- +name: Wazuh-AL-Single-Instance +on: [pull_request, workflow_dispatch, release] +jobs: + start-runner: + name: Start self-hosted EC2 runner + runs-on: ubuntu-latest + outputs: + label: ${{ steps.start-ec2-runner.outputs.label }} + ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Start EC2 runner + id: start-ec2-runner + uses: machulav/ec2-github-runner@v2 + with: + mode: start + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + ec2-image-id: ${{ secrets.AL2_AMI_ID }} + ec2-instance-type: t3.small + subnet-id: ${{ secrets.SUBNET_ID }} + security-group-id: ${{ secrets.SG_ID }} + aws-resource-tags: > # optional, requires additional permissions + [ + {"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"}, + {"Key": "GitHubRepository", "Value": "${{ github.repository }}"}, + {"Key": "team", "Value": "CICD"}, + {"Key": "termination_date", "Value": "2022-12-31 21:00:00"} + ] + install-wazuh-single-instance: + name: Installs Wazuh server single instance + needs: start-runner # required to start the main job when the runner is ready + runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + - name: Ansible Playbook run Wazuh Single instance + run: ansible-playbook ./.github/playbooks/single-wazuh.yml + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + stop-runner: + name: Stop self-hosted EC2 runner + needs: + - start-runner # required to get output from the start-runner job + - install-wazuh-single-instance # required to wait when the main job is done + runs-on: ubuntu-latest + if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Stop EC2 runner + uses: machulav/ec2-github-runner@v2 + with: + mode: stop + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + label: ${{ needs.start-runner.outputs.label }} + ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }} \ No newline at end of file diff --git a/.github/workflows/centos_aio.yml b/.github/workflows/centos_aio.yml new file mode 100644 index 0000000..0d03a16 --- /dev/null +++ b/.github/workflows/centos_aio.yml @@ -0,0 +1,76 @@ +--- +name: AIO-CentOS-Single-Instance +on: [pull_request, workflow_dispatch, release] +jobs: + start-runner: + name: Start self-hosted EC2 runner + runs-on: ubuntu-latest + outputs: + label: ${{ steps.start-ec2-runner.outputs.label }} + ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Start EC2 runner + id: start-ec2-runner + uses: machulav/ec2-github-runner@v2 + with: + mode: start + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + ec2-image-id: ${{ secrets.CENTOS8_AMI_ID }} + ec2-instance-type: t3a.large + subnet-id: ${{ secrets.SUBNET_ID }} + security-group-id: ${{ secrets.SG_ID }} + aws-resource-tags: > # optional, requires additional permissions + [ + {"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"}, + {"Key": "GitHubRepository", "Value": "${{ github.repository }}"}, + {"Key": "team", "Value": "CICD"}, + {"Key": "termination_date", "Value": "2022-12-31 21:00:00"} + ] + install-aio-single-instance: + name: Installs AIO single instance + needs: start-runner # required to start the main job when the runner is ready + runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + - name: Hack to get setup-python to work on act. See act issue 251 + run: | + if [ ! -f "/etc/lsb-release" ] ; then + echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release + fi + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + - name: Ansible Playbook run Wazuh AIO Single instance + run: ansible-playbook ./.github/playbooks/aio-wazuh.yml + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + stop-runner: + name: Stop self-hosted EC2 runner + needs: + - start-runner # required to get output from the start-runner job + - install-aio-single-instance # required to wait when the main job is done + runs-on: ubuntu-latest + if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Stop EC2 runner + uses: machulav/ec2-github-runner@v2 + with: + mode: stop + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + label: ${{ needs.start-runner.outputs.label }} + ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }} \ No newline at end of file diff --git a/.github/workflows/centos_wazuh.yml b/.github/workflows/centos_wazuh.yml new file mode 100644 index 0000000..17e90e3 --- /dev/null +++ b/.github/workflows/centos_wazuh.yml @@ -0,0 +1,76 @@ +--- +name: Wazuh-CentOS-Single-Instance +on: [pull_request, workflow_dispatch, release] +jobs: + start-runner: + name: Start self-hosted EC2 runner + runs-on: ubuntu-latest + outputs: + label: ${{ steps.start-ec2-runner.outputs.label }} + ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Start EC2 runner + id: start-ec2-runner + uses: machulav/ec2-github-runner@v2 + with: + mode: start + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + ec2-image-id: ${{ secrets.CENTOS8_AMI_ID }} + ec2-instance-type: t3.small + subnet-id: ${{ secrets.SUBNET_ID }} + security-group-id: ${{ secrets.SG_ID }} + aws-resource-tags: > # optional, requires additional permissions + [ + {"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"}, + {"Key": "GitHubRepository", "Value": "${{ github.repository }}"}, + {"Key": "team", "Value": "CICD"}, + {"Key": "termination_date", "Value": "2022-12-31 21:00:00"} + ] + install-wazuh-single-instance: + name: Installs Wazuh server single instance + needs: start-runner # required to start the main job when the runner is ready + runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + - name: Hack to get setup-python to work on act. See act issue 251 + run: | + if [ ! -f "/etc/lsb-release" ] ; then + echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release + fi + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + - name: Ansible Playbook run Wazuh Single instance + run: ansible-playbook ./.github/playbooks/single-wazuh.yml + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + stop-runner: + name: Stop self-hosted EC2 runner + needs: + - start-runner # required to get output from the start-runner job + - install-wazuh-single-instance # required to wait when the main job is done + runs-on: ubuntu-latest + if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Stop EC2 runner + uses: machulav/ec2-github-runner@v2 + with: + mode: stop + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + label: ${{ needs.start-runner.outputs.label }} + ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }} \ No newline at end of file diff --git a/.github/workflows/ubuntu_aio.yml b/.github/workflows/ubuntu_aio.yml new file mode 100644 index 0000000..05eb377 --- /dev/null +++ b/.github/workflows/ubuntu_aio.yml @@ -0,0 +1,76 @@ +--- +name: AIO-Ubuntu-Single-Instance +on: [pull_request, workflow_dispatch, release] +jobs: + start-runner: + name: Start self-hosted EC2 runner + runs-on: ubuntu-latest + outputs: + label: ${{ steps.start-ec2-runner.outputs.label }} + ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Start EC2 runner + id: start-ec2-runner + uses: machulav/ec2-github-runner@v2 + with: + mode: start + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + ec2-image-id: ${{ secrets.UBUNTU2204_AMI_ID }} + ec2-instance-type: t3a.large + subnet-id: ${{ secrets.SUBNET_ID }} + security-group-id: ${{ secrets.SG_ID }} + aws-resource-tags: > # optional, requires additional permissions + [ + {"Key": "Name", "Value": "wazuh-ansible-gh-runner-aio"}, + {"Key": "GitHubRepository", "Value": "${{ github.repository }}"}, + {"Key": "team", "Value": "CICD"}, + {"Key": "termination_date", "Value": "2022-12-31 21:00:00"} + ] + install-aio-single-instance: + name: Installs AIO single instance + needs: start-runner # required to start the main job when the runner is ready + runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + - name: Hack to get setup-python to work on act. See act issue 251 + run: | + if [ ! -f "/etc/lsb-release" ] ; then + echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release + fi + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + - name: Ansible Playbook run Wazuh AIO Single instance + run: ansible-playbook ./.github/playbooks/aio-wazuh.yml + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + stop-runner: + name: Stop self-hosted EC2 runner + needs: + - start-runner # required to get output from the start-runner job + - install-aio-single-instance # required to wait when the main job is done + runs-on: ubuntu-latest + if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Stop EC2 runner + uses: machulav/ec2-github-runner@v2 + with: + mode: stop + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + label: ${{ needs.start-runner.outputs.label }} + ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }} \ No newline at end of file diff --git a/.github/workflows/ubuntu_wazuh.yml b/.github/workflows/ubuntu_wazuh.yml new file mode 100644 index 0000000..64db955 --- /dev/null +++ b/.github/workflows/ubuntu_wazuh.yml @@ -0,0 +1,76 @@ +--- +name: Wazuh-Ubuntu-Single-Instance +on: [pull_request, workflow_dispatch, release] +jobs: + start-runner: + name: Start self-hosted EC2 runner + runs-on: ubuntu-latest + outputs: + label: ${{ steps.start-ec2-runner.outputs.label }} + ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Start EC2 runner + id: start-ec2-runner + uses: machulav/ec2-github-runner@v2 + with: + mode: start + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + ec2-image-id: ${{ secrets.UBUNTU2204_AMI_ID }} + ec2-instance-type: t3.small + subnet-id: ${{ secrets.SUBNET_ID }} + security-group-id: ${{ secrets.SG_ID }} + aws-resource-tags: > # optional, requires additional permissions + [ + {"Key": "Name", "Value": "wazuh-ansible-gh-runner-wazuh"}, + {"Key": "GitHubRepository", "Value": "${{ github.repository }}"}, + {"Key": "team", "Value": "CICD"}, + {"Key": "termination_date", "Value": "2022-12-31 21:00:00"} + ] + install-wazuh-single-instance: + name: Installs Wazuh server single instance + needs: start-runner # required to start the main job when the runner is ready + runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + - name: Hack to get setup-python to work on act. See act issue 251 + run: | + if [ ! -f "/etc/lsb-release" ] ; then + echo "DISTRIB_RELEASE=18.04" > /etc/lsb-release + fi + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + - name: Ansible Playbook run Wazuh Single instance + run: ansible-playbook ./.github/playbooks/single-wazuh.yml + env: + PY_COLORS: '1' + ANSIBLE_FORCE_COLOR: '1' + stop-runner: + name: Stop self-hosted EC2 runner + needs: + - start-runner # required to get output from the start-runner job + - install-wazuh-single-instance # required to wait when the main job is done + runs-on: ubuntu-latest + if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + - name: Stop EC2 runner + uses: machulav/ec2-github-runner@v2 + with: + mode: stop + github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + label: ${{ needs.start-runner.outputs.label }} + ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }} \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..38bf9b6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,13 @@ +*.retry +wazuh-agent.yml +wazuh-elastic_stack-distributed.yml +wazuh-elastic_stack-single.yml +wazuh-elastic.yml +wazuh-kibana.yml +wazuh-manager.yml +*.pyc +.mypy_cache +Pipfile.lock +*.swp +molecule/**/es_certs/ +molecule/**/opendistro/ \ No newline at end of file diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..8827676 --- /dev/null +++ b/.yamllint @@ -0,0 +1,33 @@ +--- +# Based on ansible-lint config +extends: default + +rules: + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + colons: + max-spaces-after: -1 + level: error + commas: + max-spaces-after: -1 + level: error + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: + max: 3 + level: error + hyphens: + level: error + indentation: disable + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable + truthy: disable diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..ac2f0c1 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,730 @@ +# Change Log +All notable changes to this project will be documented in this file. + +## [v4.7.2] + +### Added + +- Update to [Wazuh v4.7.2](https://github.com/wazuh/wazuh/blob/v4.7.2/CHANGELOG.md#v472) + +## [v4.7.1] + +### Added + +- Update to [Wazuh v4.7.1](https://github.com/wazuh/wazuh/blob/v4.7.1/CHANGELOG.md#v471) + +## [v4.7.0] + +### Added + +- Update to [Wazuh v4.7.0](https://github.com/wazuh/wazuh/blob/v4.7.0/CHANGELOG.md#v470) + +## [v4.6.0] + +### Added + +- Update to [Wazuh v4.6.0](https://github.com/wazuh/wazuh/blob/v4.6.0/CHANGELOG.md#v460) + +## [v4.5.4] + +### Added + +- Update to [Wazuh v4.5.4](https://github.com/wazuh/wazuh/blob/v4.5.4/CHANGELOG.md#v454) + +## [v4.5.3] + +### Added + +- Update to [Wazuh v4.5.3](https://github.com/wazuh/wazuh/blob/v4.5.3/CHANGELOG.md#v453) + +## [v4.5.2] + +### Added + +- Update to [Wazuh v4.5.2](https://github.com/wazuh/wazuh/blob/v4.5.2/CHANGELOG.md#v452) + +## [v4.5.1] + +### Added + +- Update to [Wazuh v4.5.1](https://github.com/wazuh/wazuh/blob/v4.5.1/CHANGELOG.md#v451) + +## [v4.5.0] + +### Added + +- Update to [Wazuh v4.5.0](https://github.com/wazuh/wazuh/blob/v4.5.0/CHANGELOG.md#v450) + +## [v4.4.5] + +### Added + +- Update to [Wazuh v4.4.5](https://github.com/wazuh/wazuh/blob/v4.4.5/CHANGELOG.md#v445) + +## [v4.4.4] + +### Added + +- Update to [Wazuh v4.4.4](https://github.com/wazuh/wazuh/blob/v4.4.4/CHANGELOG.md#v444) + +## [v4.4.3] + +### Added + +- Update to [Wazuh v4.4.3](https://github.com/wazuh/wazuh/blob/v4.4.3/CHANGELOG.md#v443) + +## [v4.4.2] + +### Added + +- Update to [Wazuh v4.4.2](https://github.com/wazuh/wazuh/blob/v4.4.2/CHANGELOG.md#v442) + +## [v4.4.1] + +### Added + +- Update to [Wazuh v4.4.1](https://github.com/wazuh/wazuh/blob/v4.4.1/CHANGELOG.md#v441) + +## [v4.4.0] + +### Added + +- Update to [Wazuh v4.4.0](https://github.com/wazuh/wazuh/blob/v4.4.0/CHANGELOG.md#v440) + +## [v4.3.11] + +### Added + +- Update to [Wazuh v4.3.11](https://github.com/wazuh/wazuh/blob/v4.3.11/CHANGELOG.md#v4311) + +## [v4.3.10] + +### Added + +- Update to [Wazuh v4.3.10](https://github.com/wazuh/wazuh/blob/v4.3.10/CHANGELOG.md#v4310) + +## [v4.3.9] + +### Added + +- Update to [Wazuh v4.3.9](https://github.com/wazuh/wazuh/blob/v4.3.9/CHANGELOG.md#v439) + +## [v4.3.8] + +### Added + +- Update to [Wazuh v4.3.8](https://github.com/wazuh/wazuh/blob/v4.3.8/CHANGELOG.md#v438) + +## [v4.3.7] + +### Added + +- Update to [Wazuh v4.3.7](https://github.com/wazuh/wazuh/blob/v4.3.7/CHANGELOG.md#v437) + +## [v4.3.6] + +### Added + +- Update to [Wazuh v4.3.6](https://github.com/wazuh/wazuh/blob/v4.3.6/CHANGELOG.md#v436) + +## [v4.3.5] + +### Added + +- Update to [Wazuh v4.3.5](https://github.com/wazuh/wazuh/blob/v4.3.5/CHANGELOG.md#v435) + +## [v4.3.4] + +### Added + +- Update to [Wazuh v4.3.4](https://github.com/wazuh/wazuh/blob/v4.3.4/CHANGELOG.md#v434) + +## [v4.3.3] + +### Added + +- Update to [Wazuh v4.3.3](https://github.com/wazuh/wazuh/blob/v4.3.3/CHANGELOG.md#v433) + +## [v4.3.2] + +### Added + +- Update to [Wazuh v4.3.2](https://github.com/wazuh/wazuh/blob/v4.3.2/CHANGELOG.md#v432) + +## [v4.3.1] + +### Added + +- Update to [Wazuh v4.3.1](https://github.com/wazuh/wazuh/blob/v4.3.1/CHANGELOG.md#v431) + +## [v4.3.0] + +### Added + +- Update to [Wazuh v4.3.0](https://github.com/wazuh/wazuh/blob/v4.3.0/CHANGELOG.md#v430) + +## [v4.2.6] + +### Added + +- Update to [Wazuh v4.2.6](https://github.com/wazuh/wazuh/blob/v4.2.6/CHANGELOG.md#v426) + +## [v4.2.5] + +### Added + +- Update to [Wazuh v4.2.5](https://github.com/wazuh/wazuh/blob/v4.2.5/CHANGELOG.md#v425) + +## [v4.2.4] + +### Added + +- Update to [Wazuh v4.2.4](https://github.com/wazuh/wazuh/blob/v4.2.4/CHANGELOG.md#v424) + +## [v4.2.3] + +### Added + +- Update to [Wazuh v4.2.3](https://github.com/wazuh/wazuh/blob/v4.2.3/CHANGELOG.md#v423) + +## [v4.2.2] + +### Added + +- Update to [Wazuh v4.2.2](https://github.com/wazuh/wazuh/blob/v4.2.2/CHANGELOG.md#v422) + +## [v4.2.1] + +### Added + +- Update to [Wazuh v4.2.1](https://github.com/wazuh/wazuh/blob/v4.2.1/CHANGELOG.md#v421) + +## [v4.2.0] + +### Added + +- Update to [Wazuh v4.2.0](https://github.com/wazuh/wazuh/blob/v4.2.0/CHANGELOG.md#v420) + +## [v4.1.4] + +### Added + +- Update to [Wazuh v4.1.4](https://github.com/wazuh/wazuh/blob/v4.1.4/CHANGELOG.md#v414) + +## [v4.1.3] + +### Added + +- Update to [Wazuh v4.1.3](https://github.com/wazuh/wazuh/blob/v4.1.3/CHANGELOG.md#v413) + +## [v4.1.2] + +### Added + +- Update to [Wazuh v4.1.2](https://github.com/wazuh/wazuh/blob/v4.1.2/CHANGELOG.md#v412) + +## [v4.1.1] + +### Added + +- Update to [Wazuh v4.1.1](https://github.com/wazuh/wazuh/blob/v4.1.1/CHANGELOG.md#v411) +- Apply changes in ossec.conf file +- Modify jvm.options to [v7.10](https://www.elastic.co/guide/en/elasticsearch/reference/7.10/jvm-options.html) +- Change opendistro repository packages (opendistroforelasticsearch, elasticsearch-oss) to Wazuh URL and GPG key + +## [v4.0.4] + +### Added + +- Update to [Wazuh v4.0.4](https://github.com/wazuh/wazuh/blob/v4.0.4/CHANGELOG.md#v404) + +- Support for new Wazuh API config options. + +- Add localfile labels to agent ossec.conf template ([@dragospe](https://github.com/dragospe)) [PR#521](https://github.com/wazuh/wazuh-ansible/pull/521) + +### Changed + +- Please notice that default Kibana user in role defaults changed from `kibanaserver` to `admin`. See listed PRs below for details. + +### Fixed + +- `create_user.py` generates invalid passwords ([@singuliere](https://github.com/singuliere)) [PR#519](https://github.com/wazuh/wazuh-ansible/pull/519) +- Fix invalid Jinja2 syntax in centralized configuration template ([@kravietz](https://github.com/kravietz)) [PR#528](https://github.com/wazuh/wazuh-ansible/pull/528) +- Replace default user for `opendistro-kibana` role ([@zenidd](https://github.com/zenidd)) [PR#529](https://github.com/wazuh/wazuh-ansible/pull/529) +- Remove legacy declarations of `od_node_name` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei), [@dragospe](https://github.com/dragospe)) [PR#530](https://github.com/wazuh/wazuh-ansible/pull/530) +- Add missing variable `elasticsearch_node_master` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei)) [PR#534](https://github.com/wazuh/wazuh-ansible/pull/534) +- Add missing variable `elasticsearch_network_host` in `opendistro-elasticsearch` ([@neonmei](https://github.com/neonmei)) [PR#540](https://github.com/wazuh/wazuh-ansible/pull/540) + + +## [v4.0.3] + +### Added + +- Update to Wazuh v4.0.3 + +### Fixed + +- Fix wrong `delegate_to` in task added by PR#488, hotfixed in `v4.0.2` in [PR#511](https://github.com/wazuh/wazuh-ansible/pull/511) + +## [v4.0.2] + +### Added + +- Update to Wazuh v4.0.2 + +### Changed + +- New role variables have been introduced (e.g: `wazuh_agent_api_validate`), see documentation or PRs listed here for details. +- Some variables have been deprecated (e.g: `wazuh_agent_nat`) in favour of other ones, see documentation or PRs listed here for details. + +### Fixed + +- Fix agent enrollment default value. Fix authd registration. [PR#505](https://github.com/wazuh/wazuh-ansible/issues/505) +- Remove async clause causing agent install timeout on resource-constrained Centos installations [PR#507](https://github.com/wazuh/wazuh-ansible/issues/507) +- Fix REST registration method for agents [PR#509](https://github.com/wazuh/wazuh-ansible/issues/509) +- `authd_pass` and `api_pass` [precedence](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) too high, lower to role defaults [PR#488](https://github.com/wazuh/wazuh-ansible/issues/488) + +## [v4.0.1] + +### Added + +- Update to Wazuh v4.0.1 +- Allow installing fixed Filebeat-oss version ([@Zenidd](https://github.com/Zenidd)) [PR#486](https://github.com/wazuh/wazuh-ansible/pull/486) +- Feature adapt molecule tests ([@neonmei](https://github.com/neonmei)) [PR#477](https://github.com/wazuh/wazuh-ansible/pull/477) + +### Fixed + +- Roles/elastic-stack: update jvm.options template per upstream updates ([@neonmei](https://github.com/neonmei)) [PR#501](https://github.com/wazuh/wazuh-ansible/pull/501) +- Improve linting history ([@neonmei](https://github.com/neonmei)) + - Fix lint opendistro kibana [PR#497](https://github.com/wazuh/wazuh-ansible/pull/497) + - Feature lint roles configurations [PR#496](https://github.com/wazuh/wazuh-ansible/pull/496) + - Feature lint role wazuh agent [PR#495](https://github.com/wazuh/wazuh-ansible/pull/495) + - Feature lint role filebeat oss [PR#494](https://github.com/wazuh/wazuh-ansible/pull/494) + - Lint role wazuh-manager [PR#493](https://github.com/wazuh/wazuh-ansible/pull/493) + - Feature lint role elasticsearch [PR#492](https://github.com/wazuh/wazuh-ansible/pull/492) + - Feature lint role opendistro-elasticsearch [PR#491](https://github.com/wazuh/wazuh-ansible/pull/491) + - Feature lint remove unused variables [PR#487](https://github.com/wazuh/wazuh-ansible/pull/487) + - Feature agent default vars depth reduction [PR#485](https://github.com/wazuh/wazuh-ansible/pull/485) +- Remove unnecesary nodejs dependency ([@neonmei](https://github.com/neonmei)) [PR#482](https://github.com/wazuh/wazuh-ansible/pull/482) +- Feature manager configuration unnest ([@neonmei](https://github.com/neonmei)) [PR#481](https://github.com/wazuh/wazuh-ansible/pull/481) +- Elastic API check fix ([@Zenidd](https://github.com/Zenidd)) [PR#480](https://github.com/wazuh/wazuh-ansible/pull/480) +- Improve handling of run_once at opendistro-elasticsearch role ([@neonmei](https://github.com/neonmei)) [PR#478](https://github.com/wazuh/wazuh-ansible/pull/478) + + +## [v4.0.0] + +### Added + +- Update to Wazuh v4.0.0 +- New example playbooks on README ([@Zenidd](https://github.com/Zenidd)) [PR#468](https://github.com/wazuh/wazuh-ansible/pull/468) + +### Fixed + +- Ensure recursive /usr/share/kibana permissions before installing WUI ([@Zenidd](https://github.com/Zenidd)) [PR#471](https://github.com/wazuh/wazuh-ansible/pull/471) +- Remove vuls integration ([@manuasir](https://github.com/manuasir)) [PR#469](https://github.com/wazuh/wazuh-ansible/pull/469) + + +## [v3.13.2] + +### Added + +- Update to Wazuh v3.13.2 +- Add kibana extra ssl option ([@xr09](https://github.com/xr09)) [PR#451](https://github.com/wazuh/wazuh-ansible/pull/451) +- Force basic auth ([@xr09](https://github.com/xr09)) [PR#456](https://github.com/wazuh/wazuh-ansible/pull/456) + +### Fixed + +- Fix check_mode condition ([@manuasir](https://github.com/manuasir)) [PR#452](https://github.com/wazuh/wazuh-ansible/pull/452) +- Fixes for opendistro role ([@xr09](https://github.com/xr09)) [PR#453](https://github.com/wazuh/wazuh-ansible/pull/453) + +## [v3.13.1_7.8.0] + +### Added + +- Update to Wazuh v3.13.1 +- Add support to configure path.repo option in ES. Required for backups/snapshots ([@pescobar](https://github.com/pescobar)) [PR#433](https://github.com/wazuh/wazuh-ansible/pull/433) + +### Changed + +- Update Opendistro tasks ([@jm404](https://github.com/jm404)) [PR#443](https://github.com/wazuh/wazuh-ansible/pull/443) +- Provide ansible.cfg with merge hash_behaviour ([@xr09](https://github.com/xr09)) [PR#440](https://github.com/wazuh/wazuh-ansible/pull/440) + +### Fixed + +- Fixes for wazuh-agent registration ([@pchristos](https://github.com/pchristos)) [PR#406](https://github.com/wazuh/wazuh-ansible/pull/406) +- Fixes for OpenDistro deployments ([@xr09](https://github.com/xr09)) [PR#445](https://github.com/wazuh/wazuh-ansible/pull/445) + +## [v3.13.0_7.7.1] + +### Added + +- Update to Wazuh v3.13.0 +- Open Distro-Kibana and Filebeat-oss roles ([@manuasir](https://github.com/manuasir)) [PR#424](https://github.com/wazuh/wazuh-ansible/pull/424) + +### Changed + +- Fetch ES template from wazuh/wazuh repository ([@Zenidd](https://github.com/Zenidd)) [PR#435](https://github.com/wazuh/wazuh-ansible/pull/435) + +### Fixed + +- Use local path while generating xpack certificates ([@xr09](https://github.com/xr09)) [PR#432](https://github.com/wazuh/wazuh-ansible/pull/432) + +## [v3.12.3_7.6.2] + +### Added + +- Update to Wazuh v3.12.2 +- AWS S3 block to template ([@limitup](https://github.com/limitup)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/413) + +### Changed + +- Update Kibana optimize task parameters and command ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/412) +- Update Kibana optimize folder and owner ([@jm404](https://github.com/jm404)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/410) + +## [v3.12.2_7.6.2] + +### Added + +- Update to Wazuh v3.12.2 + +### Fixed +- Adjusting Kibana plugin optimization max memory ([@Zenidd](https://github.com/Zenidd)) [PR#404](https://github.com/wazuh/wazuh-ansible/pull/404) +- Removed python-cryptography library tasks ([@Zenidd](https://github.com/Zenidd)) [PR#401](https://github.com/wazuh/wazuh-ansible/pull/401) +- Removed duplicated task block ([@manuasir](https://github.com/manuasir)) [PR#400](https://github.com/wazuh/wazuh-ansible/pull/400) + +## [v3.12.0_7.6.1] + +### Added + +- Update to Wazuh v3.12.0 +- Added registration address variable to wazuh-agent playbook ([@Zenidd](https://github.com/Zenidd)) [PR#392](https://github.com/wazuh/wazuh-ansible/pull/392) + +### Changed + +- Bump NodeJS version to 10.x ([@manuasir](https://github.com/manuasir)) [PR#386](https://github.com/wazuh/wazuh-ansible/pull/386) +- Add flag to enable/disable Windows MD5 check ([@jm404](https://github.com/jm404)) [PR#383](https://github.com/wazuh/wazuh-ansible/pull/383) +- Rule paths are now relative to playbooks. ([@Zenidd ](https://github.com/Zenidd)) [PR#393](https://github.com/wazuh/wazuh-ansible/pull/393) +- Add the option to create agent groups and add an agent to 1 or more group. ([@rshad](https://github.com/rshad)) [PR#361](https://github.com/wazuh/wazuh-ansible/pull/361) + + +### Fixed + +- Removed bad formed XML comments. ([@manuasir](https://github.com/manuasir)) [PR#391](https://github.com/wazuh/wazuh-ansible/pull/391) +- NodeJS node_options variable and Kibana plugin optimization fix. ([@Zenidd](https://github.com/Zenidd)) [PR#385](https://github.com/wazuh/wazuh-ansible/pull/385) +- Restrictive permissions for certificate files. ([@Zenidd](https://github.com/Zenidd)) [PR#382](https://github.com/wazuh/wazuh-ansible/pull/382) + +## [v3.11.4_7.6.1] + +### Added + +- Update to Wazuh v3.11.4 +- Support for RHEL/CentOS 8 ([@jm404](https://github.com/jm404)) [PR#377](https://github.com/wazuh/wazuh-ansible/pull/377) + +### Changed + +- Disabled shared configuration by default ([@jm404](https://github.com/jm404)) [PR#369](https://github.com/wazuh/wazuh-ansible/pull/369) +- Add chdir argument to Wazuh Kibana Plugin installation tasks ([@jm404](https://github.com/jm404)) [PR#375](https://github.com/wazuh/wazuh-ansible/pull/375) +- Adjustments for systems without (direct) internet connection ([@joschneid](https://github.com/joschneid)) [PR#348](https://github.com/wazuh/wazuh-ansible/pull/348) + +### Fixed + +- Avoid to install Wazuh API in worker nodes ([@manuasir](https://github.com/manuasir)) [PR#371](https://github.com/wazuh/wazuh-ansible/pull/371) +- Conditionals of custom Wazuh packages installation tasks ([@rshad](https://github.com/rshad)) [PR#372](https://github.com/wazuh/wazuh-ansible/pull/372) +- Fix Ansible elastic_stack-distributed template ([@francobep](https://github.com/francobep)) [PR#352](https://github.com/wazuh/wazuh-ansible/pull/352) +- Fix manager API verification ([@Zenidd](https://github.com/Zenidd)) [PR#360](https://github.com/wazuh/wazuh-ansible/pull/360) + +## [v3.11.3_7.5.2] + +### Added + +- Update to Wazuh v3.11.3 + +### Fixed + +- Fix Wazuh Agent configuration file for RHEL 8 ([@xr09](https://github.com/xr09)) [PR#354](https://github.com/wazuh/wazuh-ansible/pull/354) +- Fix default port used in Wazuh Agent playbook ([@jm404](https://github.com/jm404)) [PR#347](https://github.com/wazuh/wazuh-ansible/pull/347) + +## [v3.11.2_7.5.1] + +### Added + +- Update to Wazuh v3.11.2 + +### Changed + +- Update templates for Python 3 compatibility ([@xr09](https://github.com/xr09)) [PR#344](https://github.com/wazuh/wazuh-ansible/pull/344) + +## [v3.11.1_7.5.1] + +### Added + +- Update to Wazuh v3.11.1 + + +## [v3.11.0_7.5.1] + +### Added + +- Update to Wazuh v3.11.0 + +- Implemented changes to configure Wazuh API using the `wazuh.yml` file ([@xr09](https://github.com/xr09)) [PR#342](https://github.com/wazuh/wazuh-ansible/pull/342) + +- Wazuh Agent registration task now explicitly notify restart ([@jm404](https://github.com/jm404)) [PR#302](https://github.com/wazuh/wazuh-ansible/pull/302) + +- Support both IP and DNS when creating elastic cluster ([@xr09](https://github.com/xr09)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/252) + +- Added config tag to the Wazuh Agent's enable task ([@xr09](https://github.com/xr09)) [PR#261](https://github.com/wazuh/wazuh-ansible/pull/261) + +- Implement task to configure Elasticsearch user on every cluster node ([@xr09](https://github.com/xr09)) [PR#270](https://github.com/wazuh/wazuh-ansible/pull/270) + +- Added SCA to Wazuh Agent and Manager installation ([@jm404](https://github.com/jm404)) [PR#260](https://github.com/wazuh/wazuh-ansible/pull/260) + +- Added support for environments with low disk space ([@xr09](https://github.com/xr09)) [PR#281](https://github.com/wazuh/wazuh-ansible/pull/281) + +- Add parameters to configure an Elasticsearch coordinating node ([@jm404](https://github.com/jm404)) [PR#292](https://github.com/wazuh/wazuh-ansible/pull/292) + + +### Changed + +- Updated Filebeat and Elasticsearch templates ([@manuasir](https://github.com/manuasir)) [PR#285](https://github.com/wazuh/wazuh-ansible/pull/285) + +- Make ossec.conf file more readable by removing trailing whitespaces ([@jm404](https://github.com/jm404)) [PR#286](https://github.com/wazuh/wazuh-ansible/pull/286) + +- Wazuh repositories can now be configured to different sources URLs ([@jm404](https://github.com/jm404)) [PR#288](https://github.com/wazuh/wazuh-ansible/pull/288) + +- Wazuh App URL is now flexible ([@jm404](https://github.com/jm404)) [PR#304](https://github.com/wazuh/wazuh-ansible/pull/304) + +- Agent installation task now does not hardcodes the "-1" sufix ([@jm404](https://github.com/jm404)) [PR#310](https://github.com/wazuh/wazuh-ansible/pull/310) + +- Enhanced task importation in Wazuh Manager role and removed deprecated warnings ([@xr09](https://github.com/xr09)) [PR#320](https://github.com/wazuh/wazuh-ansible/pull/320) + +- Wazuh API installation task have been upgraded ([@rshad](https://github.com/rshad)) [PR#330](https://github.com/wazuh/wazuh-ansible/pull/330) + +- It's now possible to install Wazuh Manager and Agent from sources ([@jm404](https://github.com/jm404)) [PR#329](https://github.com/wazuh/wazuh-ansible/pull/329) + + +### Fixed + +- Ansible upgrade from 6.x to 7.x ([@jm404](https://github.com/jm404)) [PR#252](https://github.com/wazuh/wazuh-ansible/pull/251) + +- Wazuh Agent registration using agent name has been fixed ([@jm404](https://github.com/jm404)) [PR#298](https://github.com/wazuh/wazuh-ansible/pull/298) +- Fix Wazuh repository and installation conditionals ([@jm404](https://github.com/jm404)) [PR#299](https://github.com/wazuh/wazuh-ansible/pull/299) + +- Fixed Wazuh Agent registration using an Agent's name ([@jm404](https://github.com/jm404)) [PR#334](https://github.com/wazuh/wazuh-ansible/pull/334) + + +## [v3.11.0_7.3.2] + +### Added + +- Update to Wazuh v3.11.0 + +### Changed + +- Moved molecule folder to Wazuh QA Repository [manuasir](https://github.com/manuasir) [#120ed16](https://github.com/wazuh/wazuh-ansible/commit/120ed163b6f131315848938beca65c1f1cad7f1b) + +- Refactored XPack Security configuration tasks [@jm404](https://github.com/jm404) [#246](https://github.com/wazuh/wazuh-ansible/pull/246) + +### Fixed + +- Fixed ES bootstrap password configuration [@jm404](https://github.com/jm404) [#b8803de](https://github.com/wazuh/wazuh-ansible/commit/b8803de85fb71edf090b0c076d4fe3684cd7cb36) + +## [v3.10.0_7.3.2] + +### Added + +- Update to Wazuh v3.10.0 + +### Changed + +- Updated Kibana [@jm404](https://github.com/jm404) [#237](https://github.com/wazuh/wazuh-ansible/pull/237) +- Updated agent.conf template [@moodymob](https://github.com/moodymob) [#222](https://github.com/wazuh/wazuh-ansible/pull/222) +- Improved molecule tests [@rshad](https://github.com/rshad) [#223](https://github.com/wazuh/wazuh-ansible/pull/223/files) +- Moved "run_cluster_mode.sh" script to molecule folder [@jm404](https://github.com/jm404) [#a9d2c52](https://github.com/wazuh/wazuh-ansible/commit/a9d2c5201047c273c2c4fead5a54e576111da455) + +### Fixed + +- Fixed typo in the `agent.conf` template [@joey1a2b3c](https://github.com/joey1a2b3c) [#227](https://github.com/wazuh/wazuh-ansible/pull/227) +- Updated conditionals in tasks to fix Amazon Linux installation [@jm404](https://github.com/jm404) [#229](https://github.com/wazuh/wazuh-ansible/pull/229) +- Fixed Kibana installation in Amazon Linux [@jm404](https://github.com/jm404) [#232](https://github.com/wazuh/wazuh-ansible/pull/232) +- Fixed Windows Agent installation and configuration [@jm404](https://github.com/jm404) [#234](https://github.com/wazuh/wazuh-ansible/pull/234) + +### Fixed + +- Removed registry key check on Wazuh Agent installation in windows [@jm404](https://github.com/jm404) [#265](https://github.com/wazuh/wazuh-ansible/pull/265) + +## [v3.9.5_7.2.1] + +### Added + +- Update to Wazuh v3.9.5 +- Update to Elastic Stack to v7.2.1 + +## [v3.9.4_7.2.0] + +### Added + +- Support for registring agents behind NAT [@jheikki100](https://github.com/jheikki100) [#208](https://github.com/wazuh/wazuh-ansible/pull/208) + +### Changed + +- Default protocol to TCP [@ionphractal](https://github.com/ionphractal) [#204](https://github.com/wazuh/wazuh-ansible/pull/204). + +### Fixed + +- Fixed network.host is not localhost [@rshad](https://github.com/rshad) [#204](https://github.com/wazuh/wazuh-ansible/pull/212). + +## [v3.9.3_7.2.0] + +### Added +- Update to Wazuh v3.9.3 ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) +- Added Versioning Control for Wazuh stack's components installation, so now it's possible to specify which package to install for wazuh-manager, wazuh-agent, Filebeat, Elasticsearch and Kibana. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) +- Fixes for Molecule testing issues. Issues such as Ansible-Lint and None-Idempotent tasks. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) +- Fixes for Wazuh components installations' related issues. Such issues were related to determined OS distributions such as `Ubuntu Trusty` and `CetOS 6`. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) +- Created Ansible playbook and role in order to automate the uninstallation of already installed Wazuh components. ([rshad](https://github.com/rshad) [PR#206](https://github.com/wazuh/wazuh-ansible/pull/206#)) + + +## [v3.9.2_7.1.1] + +### Added + +- Update to Wazuh v3.9.2 +- Support for Elastic 7 +- Ability to deploy an Elasticsearch cluster [#6b95e3](https://github.com/wazuh/wazuh-ansible/commit/6b95e304b6ac4dfec08df5cd0fe29be9cc7dc22c) + +## [v3.9.2_6.8.0] + +### Added + +- Update to Wazuh v3.9.2 + +## [v3.9.1] + +### Added + +- Update to Wazuh v3.9.1 +- Support for ELK v6.8.0 + +## [v3.9.0] + +### Added + +- Update to Wazuh Wazuh v3.9.0 ([manuasir](https://github.com/manuasir) [#177](https://github.com/wazuh/wazuh-ansible/pull/177)). +- Support for Elasticsearch v6.7.1 ([LuisGi91](https://github.com/LuisGi91) [#168](https://github.com/wazuh/wazuh-ansible/pull/168)). +- Added Molecule testing suit ([JJediny](https://github.com/JJediny) [#151](https://github.com/wazuh/wazuh-ansible/pull/151)). +- Added Molecule tests for Wazuh Manager ([dj-wasabi](https://github.com/dj-wasabi) [#169](https://github.com/wazuh/wazuh-ansible/pull/169)). +- Added Molecule tests for Wazuh Agent ([dj-wasabi](https://github.com/dj-wasabi) [#174](https://github.com/wazuh/wazuh-ansible/pull/174)). + +### Changed + +- Updated network commands ([kravietz](https://github.com/kravietz) [#159](https://github.com/wazuh/wazuh-ansible/pull/159)). +- Enable active response section ([kravietz](https://github.com/kravietz) [#155](https://github.com/wazuh/wazuh-ansible/pull/155)). + +### Fixed + +- Fix default active response ([LuisGi93](https://github.com/LuisGi93) [#164](https://github.com/wazuh/wazuh-ansible/pull/164)). +- Changing from Oracle Java to OpenJDK ([LuisGi93](https://github.com/LuisGi93) [#173](https://github.com/wazuh/wazuh-ansible/pull/173)). +- Adding alias to agent config file template ([LuisGi93](https://github.com/LuisGi93) [#163](https://github.com/wazuh/wazuh-ansible/pull/163)). + +## [v3.8.2] + +### Changed + +- Update to Wazuh version v3.8.2. ([#150](https://github.com/wazuh/wazuh-ansible/pull/150)) + +## [v3.8.1] + +### Changed +- Update to Wazuh version v3.8.1. ([#148](https://github.com/wazuh/wazuh-ansible/pull/148)) + + +## [v3.8.0] + +### Added + +- Added custom name for single agent registration ([#117](https://github.com/wazuh/wazuh-ansible/pull/117)) +- Adapt ossec.conf file for windows agents ([#118](https://github.com/wazuh/wazuh-ansible/pull/118)) +- Added labels to ossec.conf ([#135](https://github.com/wazuh/wazuh-ansible/pull/135)) + +### Changed + +- Changed Windows installation directory ([#116](https://github.com/wazuh/wazuh-ansible/pull/116)) +- move redundant tags to the outer block ([#133](https://github.com/wazuh/wazuh-ansible/pull/133)) +- Adapt new version (3.8.0-6.5.4) ([#144](https://github.com/wazuh/wazuh-ansible/pull/144)) + +### Fixed + +- Fixed a couple linting issues with yamllint and ansible-review ([#111](https://github.com/wazuh/wazuh-ansible/pull/111)) +- Fixes typos: The word credentials doesn't have two consecutive e's ([#130](https://github.com/wazuh/wazuh-ansible/pull/130)) +- Fixed multiple remote connection ([#120](https://github.com/wazuh/wazuh-ansible/pull/120)) +- Fixed null value for wazuh_manager_fqdn ([#132](https://github.com/wazuh/wazuh-ansible/pull/132)) +- Erasing extra spaces in playbooks ([#131](https://github.com/wazuh/wazuh-ansible/pull/131)) +- Fixed oracle java cookies ([#143](https://github.com/wazuh/wazuh-ansible/pull/143)) + +### Removed + +- delete useless files from wazuh-manager role ([#137](https://github.com/wazuh/wazuh-ansible/pull/137)) + +## [v3.7.2] + +### Changed + +- Adapt configuration to current release ([#106](https://github.com/wazuh/wazuh-ansible/pull/106)) + +## [v3.7.1] + +### Added + + - include template local_internal_options.conf. ([#87](https://github.com/wazuh/wazuh-ansible/pull/87)) + - Add multiple Elasticsearch IPs for Logstash reports. ([#92](https://github.com/wazuh/wazuh-ansible/pull/92)) + +### Changed + + - Changed windows agent version. ([#89](https://github.com/wazuh/wazuh-ansible/pull/89)) + - Updating to Elastic Stack to 6.5.3 and Wazuh 3.7.1. ([#108](https://github.com/wazuh/wazuh-ansible/pull/108)) + +### Fixed + +- Solve the conflict betwwen tha agent configuration and the shared master configuration. Also include monitoring for `/var/log/auth.log`. ([#90](https://github.com/wazuh/wazuh-ansible/pull/90)) +- Moved custom_ruleset files. ([#98](https://github.com/wazuh/wazuh-ansible/pull/98)) +- Add authlog fix to localfile. ([#99](https://github.com/wazuh/wazuh-ansible/pull/99)) +- Exceptions reload systemd. ([#114](https://github.com/wazuh/wazuh-ansible/pull/114)) + +### Removed + +- clean old code for windows agent. ([#86](https://github.com/wazuh/wazuh-ansible/pull/86)) + +## v3.7.0-3701 + +### Added + +- Amazon Linux deployments are now supported ([#71](https://github.com/wazuh/wazuh-ansible/pull/71)) and for the old repository structure ([#67](https://github.com/wazuh/wazuh-ansible/pull/67)) +- Added the option to add rule files and decoders directly over the local rule and decoder directories in /var/ossec/etc ([#81](https://github.com/wazuh/wazuh-ansible/pull/81)). +- Added the necessary variables to configure a new configuration template for the Wazuh API ([#80](https://github.com/wazuh/wazuh-ansible/pull/80)). +- Added the option to verify the shared configuration for agents set in the manager ([#76](https://github.com/wazuh/wazuh-ansible/pull/76)). +- Added the option to configure the active response ([#75](https://github.com/wazuh/wazuh-ansible/pull/75)). + +### Changed + +- Repository restructure. +- Extended conditions to register a Wazuh agent. Now will register the agent in cases where there is no client.keys or the file exists but this empty ([#79](https://github.com/wazuh/wazuh-ansible/pull/79)). +- Grouping of tasks in a block under the same condition to improve the efficiency of the code ([#74](https://github.com/wazuh/wazuh-ansible/pull/74)). +- Improved efficiency of the Java repository ([#73](https://github.com/wazuh/wazuh-ansible/pull/73)). + +### Fixed + +- Fix oracle java cookie ([#71](https://github.com/wazuh/wazuh-ansible/pull/71)). +- include the logall_json label in ossec.conf template. This was causing an error when recreating the cdb_lists ([#84](https://github.com/wazuh/wazuh-ansible/pull/84)). + +## v3.6.0 + +Ansible starting point. + +Roles: + - Elastic Stack: + - ansible-elasticsearch: This role is prepared to install elasticsearch on the host that runs it. + - ansible-kibana: Using this role we will install Kibana on the host that runs it. + - Wazuh: + - ansible-filebeat: This role is prepared to install filebeat on the host that runs it. + - ansible-wazuh-manager: With this role we will install Wazuh manager and Wazuh API on the host that runs it. + - ansible-wazuh-agent: Using this role we will install Wazuh agent on the host that runs it and is able to register it. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..a6376ec --- /dev/null +++ b/LICENSE @@ -0,0 +1,475 @@ + + Portions Copyright (C) 2017, Wazuh, Inc. + Based on work Copyright (C) 2003 - 2013 Trend Micro, Inc. + + This program is a free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License (version 2) as + published by the FSF - Free Software Foundation. + + In addition, certain source files in this program permit linking with the + OpenSSL library (http://www.openssl.org), which otherwise wouldn't be allowed + under the GPL. For purposes of identifying OpenSSL, most source files giving + this permission limit it to versions of OpenSSL having a license identical to + that listed in this file (see section "OpenSSL LICENSE" below). It is not + necessary for the copyright years to match between this file and the OpenSSL + version in question. However, note that because this file is an extension of + the license statements of these source files, this file may not be changed + except with permission from all copyright holders of source files in this + program which reference this file. + + Note that this license applies to the source code, as well as + decoders, rules and any other data file included with OSSEC (unless + otherwise specified). + + For the purpose of this license, we consider an application to constitute a + "derivative work" or a work based on this program if it does any of the + following (list not exclusive): + + * Integrates source code/data files from OSSEC. + * Includes OSSEC copyrighted material. + * Includes/integrates OSSEC into a proprietary executable installer. + * Links to a library or executes a program that does any of the above. + + This list is not exclusive, but just a clarification of our interpretation + of derived works. These restrictions only apply if you actually redistribute + OSSEC (or parts of it). + + We don't consider these to be added restrictions on top of the GPL, + but just a clarification of how we interpret "derived works" as it + applies to OSSEC. This is similar to the way Linus Torvalds has + announced his interpretation of how "derived works" applies to Linux kernel + modules. Our interpretation refers only to OSSEC - we don't speak + for any other GPL products. + + * As a special exception, the copyright holders give + * permission to link the code of portions of this program with the + * OpenSSL library under certain conditions as described in each + * individual source file, and distribute linked combinations + * including the two. + * You must obey the GNU General Public License in all respects + * for all of the code used other than OpenSSL. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you + * do not wish to do so, delete this exception statement from your + * version. If you delete this exception statement from all source + * files in the program, then also delete it here. + + OSSEC HIDS is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + FITNESS FOR A PARTICULAR PURPOSE. + See the GNU General Public License Version 2 below for more details. + +----------------------------------------------------------------------------- + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + +------------------------------------------------------------------------------- + +OpenSSL License +--------------- + + LICENSE ISSUES + ============== + + The OpenSSL toolkit stays under a dual license, i.e. both the conditions of + the OpenSSL License and the original SSLeay license apply to the toolkit. + See below for the actual license texts. Actually both licenses are BSD-style + Open Source licenses. In case of any license issues related to OpenSSL + please contact openssl-core@openssl.org. + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the routines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..f7c490f --- /dev/null +++ b/VERSION @@ -0,0 +1,2 @@ +WAZUH-ANSIBLE_VERSION="v4.7.2" +REVISION="40710" diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg new file mode 100644 index 0000000..e153953 --- /dev/null +++ b/playbooks/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +hash_behaviour=merge diff --git a/playbooks/wazuh-dashboard.yml b/playbooks/wazuh-dashboard.yml new file mode 100644 index 0000000..5a50cba --- /dev/null +++ b/playbooks/wazuh-dashboard.yml @@ -0,0 +1,6 @@ +--- +- hosts: wi1 + roles: + - role: ../roles/wazuh/wazuh-dashboard + vars: + ansible_shell_allow_world_readable_temp: true diff --git a/playbooks/wazuh-indexer.yml b/playbooks/wazuh-indexer.yml new file mode 100644 index 0000000..34d999c --- /dev/null +++ b/playbooks/wazuh-indexer.yml @@ -0,0 +1,20 @@ +--- +- hosts: wi_cluster + roles: + - role: ../roles/wazuh/wazuh-indexer + + vars: + instances: # A certificate will be generated for every node using the name as CN. + node1: + name: node-1 + ip: + role: indexer + node2: + name: node-2 + ip: + role: indexer + node3: + name: node-3 + ip: + role: indexer + diff --git a/playbooks/wazuh-manager-oss-cluster.yml b/playbooks/wazuh-manager-oss-cluster.yml new file mode 100644 index 0000000..5710958 --- /dev/null +++ b/playbooks/wazuh-manager-oss-cluster.yml @@ -0,0 +1,50 @@ +--- +# Wazuh cluster without Filebeat + - hosts: manager + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + become: yes + become_user: root + vars: + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + https: 'yes' + cluster: + disable: 'no' + node_name: 'master' + node_type: 'master' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + nodes: + - "{{ hostvars.manager.private_ip }}" + hidden: 'no' + wazuh_api_users: + - username: custom-user + password: SecretPassword1! + + - hosts: worker01 + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + become: yes + become_user: root + vars: + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + https: 'yes' + cluster: + disable: 'no' + node_name: 'worker_01' + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + nodes: + - "{{ hostvars.manager.private_ip }}" + hidden: 'no' diff --git a/playbooks/wazuh-manager-oss.yml b/playbooks/wazuh-manager-oss.yml new file mode 100644 index 0000000..9e9c4cb --- /dev/null +++ b/playbooks/wazuh-manager-oss.yml @@ -0,0 +1,9 @@ +--- +- hosts: managers + roles: + - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-filebeat-oss + filebeat_output_indexer_hosts: + - ":9200" + - ":9200" + - ":9200" diff --git a/playbooks/wazuh-production-ready.yml b/playbooks/wazuh-production-ready.yml new file mode 100644 index 0000000..a6ea309 --- /dev/null +++ b/playbooks/wazuh-production-ready.yml @@ -0,0 +1,176 @@ +--- +# Certificates generation + - hosts: wi1 + roles: + - role: ../roles/wazuh/wazuh-indexer + indexer_network_host: "{{ private_ip }}" + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_discovery_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + perform_installation: false + become: no + vars: + indexer_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to indexer_node_name. + ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer + node2: + name: node-2 + ip: "{{ hostvars.wi2.private_ip }}" + role: indexer + node3: + name: node-3 + ip: "{{ hostvars.wi3.private_ip }}" + role: indexer + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + role: wazuh + node_type: master + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + role: wazuh + node_type: worker + node6: + name: node-6 + ip: "{{ hostvars.dashboard.private_ip }}" + role: dashboard + tags: + - generate-certs + +# Wazuh indexer cluster + - hosts: wi_cluster + strategy: free + roles: + - role: ../roles/wazuh/wazuh-indexer + indexer_network_host: "{{ private_ip }}" + become: yes + become_user: root + vars: + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_discovery_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + indexer_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to indexer_node_name. + ip: "{{ hostvars.wi1.private_ip }}" # When unzipping, the node will search for its node name folder to get the cert. + role: indexer + node2: + name: node-2 + ip: "{{ hostvars.wi2.private_ip }}" + role: indexer + node3: + name: node-3 + ip: "{{ hostvars.wi3.private_ip }}" + role: indexer + node4: + name: node-4 + ip: "{{ hostvars.manager.private_ip }}" + role: wazuh + node_type: master + node5: + name: node-5 + ip: "{{ hostvars.worker.private_ip }}" + role: wazuh + node_type: worker + node6: + name: node-6 + ip: "{{ hostvars.dashboard.private_ip }}" + role: dashboard + +# Wazuh cluster + - hosts: manager + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-4 + become: yes + become_user: root + vars: + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + https: 'yes' + cluster: + disable: 'no' + node_name: 'master' + node_type: 'master' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + nodes: + - "{{ hostvars.manager.private_ip }}" + hidden: 'no' + wazuh_api_users: + - username: custom-user + password: SecretPassword1! + filebeat_output_indexer_hosts: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + + - hosts: worker + roles: + - role: "../roles/wazuh/ansible-wazuh-manager" + - role: "../roles/wazuh/ansible-filebeat-oss" + filebeat_node_name: node-5 + become: yes + become_user: root + vars: + wazuh_manager_config: + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + api: + https: 'yes' + cluster: + disable: 'no' + node_name: 'worker_01' + node_type: 'worker' + key: 'c98b62a9b6169ac5f67dae55ae4a9088' + nodes: + - "{{ hostvars.manager.private_ip }}" + hidden: 'no' + filebeat_output_indexer_hosts: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + +# Wazuh dashboard node + - hosts: dashboard + roles: + - role: "../roles/wazuh/wazuh-dashboard" + become: yes + become_user: root + vars: + indexer_network_host: "{{ hostvars.wi1.private_ip }}" + indexer_cluster_nodes: + - "{{ hostvars.wi1.private_ip }}" + - "{{ hostvars.wi2.private_ip }}" + - "{{ hostvars.wi3.private_ip }}" + dashboard_node_name: node-6 + wazuh_api_credentials: + - id: default + url: https://{{ hostvars.manager.private_ip }} + port: 55000 + username: custom-user + password: SecretPassword1! + ansible_shell_allow_world_readable_temp: true diff --git a/playbooks/wazuh-single.yml b/playbooks/wazuh-single.yml new file mode 100644 index 0000000..38499f5 --- /dev/null +++ b/playbooks/wazuh-single.yml @@ -0,0 +1,40 @@ +--- +# Certificates generation + - hosts: aio + roles: + - role: ../roles/wazuh/wazuh-indexer + perform_installation: false + become: no + #become_user: root + vars: + indexer_node_master: true + instances: + node1: + name: node-1 # Important: must be equal to indexer_node_name. + ip: 127.0.0.1 + role: indexer + tags: + - generate-certs +# Single node + - hosts: aio + become: yes + become_user: root + roles: + - role: ../roles/wazuh/wazuh-indexer + - role: ../roles/wazuh/ansible-wazuh-manager + - role: ../roles/wazuh/ansible-filebeat-oss + - role: ../roles/wazuh/wazuh-dashboard + vars: + single_node: true + minimum_master_nodes: 1 + indexer_node_master: true + indexer_network_host: 127.0.0.1 + filebeat_node_name: node-1 + filebeat_output_indexer_hosts: + - 127.0.0.1 + instances: + node1: + name: node-1 # Important: must be equal to indexer_node_name. + ip: 127.0.0.1 + role: indexer + ansible_shell_allow_world_readable_temp: true diff --git a/roles/elastic-stack/ansible-kibana/defaults/main.yml b/roles/elastic-stack/ansible-kibana/defaults/main.yml new file mode 100644 index 0000000..778b4f4 --- /dev/null +++ b/roles/elastic-stack/ansible-kibana/defaults/main.yml @@ -0,0 +1,53 @@ +--- +kibana_node_name: node-1 + +elasticsearch_http_port: "9200" +elasticsearch_network_host: "127.0.0.1" +kibana_server_host: "0.0.0.0" +kibana_server_port: "5601" +kibana_conf_path: /etc/kibana +elastic_stack_version: 7.10.2 +wazuh_version: 4.4.1 +wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' + +# API credentials +wazuh_api_credentials: + - id: "default" + url: "https://localhost" + port: 55000 + username: "wazuh" + password: "wazuh" + +# Xpack Security +kibana_xpack_security: false +kibana_ssl_verification_mode: "full" + +elasticsearch_xpack_security_user: elastic +elasticsearch_xpack_security_password: elastic_pass + +node_certs_destination: /etc/kibana/certs + +# CA Generation +master_certs_path: "{{ playbook_dir }}/es_certs" +generate_CA: true +ca_cert_name: "" + +# Nodejs +nodejs: + repo_dict: + debian: "deb" + redhat: "rpm" + repo_url_ext: "nodesource.com/setup_10.x" + +# Build from sources +build_from_sources: false +wazuh_plugin_branch: 4.1-7.10 + +#Nodejs NODE_OPTIONS +node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/opendistro/opendistro-kibana/defaults/main.yml b/roles/opendistro/opendistro-kibana/defaults/main.yml new file mode 100644 index 0000000..165a089 --- /dev/null +++ b/roles/opendistro/opendistro-kibana/defaults/main.yml @@ -0,0 +1,60 @@ +--- + +# Kibana configuration +elasticsearch_http_port: 9200 +elastic_api_protocol: https +kibana_conf_path: /etc/kibana +kibana_node_name: node-1 +kibana_server_host: "0.0.0.0" +kibana_server_port: "5601" +kibana_server_name: "kibana" +kibana_max_payload_bytes: 1048576 +elastic_stack_version: 7.10.2 +wazuh_version: 4.4.1 +wazuh_app_url: https://packages.wazuh.com/4.x/ui/kibana/wazuh_kibana + +# The OpenDistro package repository +kibana_opendistro_version: 1.13.2-1 # Version includes the - for RedHat family compatibility, replace with = for Debian hosts + +package_repos: + yum: + opendistro: + baseurl: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + apt: + opendistro: + baseurl: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + +# API credentials +wazuh_api_credentials: + - id: "default" + url: "https://localhost" + port: 55000 + username: "wazuh" + password: "wazuh" + +# opendistro Security +kibana_opendistro_security: true +kibana_newsfeed_enabled: "false" +kibana_telemetry_optin: "false" +kibana_telemetry_enabled: "false" + +opendistro_admin_password: changeme +opendistro_kibana_user: kibanaserver +opendistro_kibana_password: changeme +local_certs_path: "{{ playbook_dir }}/opendistro/certificates" + +# Nodejs +nodejs: + repo_dict: + debian: "deb" + redhat: "rpm" + repo_url_ext: "nodesource.com/setup_10.x" + +# Build from sources +build_from_sources: false +wazuh_plugin_branch: 4.1-7.10 + +#Nodejs NODE_OPTIONS +node_options: --no-warnings --max-old-space-size=2048 --max-http-header-size=65536 diff --git a/roles/wazuh/ansible-filebeat-oss/README.md b/roles/wazuh/ansible-filebeat-oss/README.md new file mode 100644 index 0000000..cd091d2 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/README.md @@ -0,0 +1,38 @@ +Ansible Role: Filebeat for Elastic Stack +------------------------------------ + +An Ansible Role that installs [Filebeat-oss](https://www.elastic.co/products/beats/filebeat), this can be used in conjunction with [ansible-wazuh-manager](https://github.com/wazuh/wazuh-ansible/ansible-wazuh-server). + +Requirements +------------ + +This role will work on: + * Red Hat + * CentOS + * Fedora + * Debian + * Ubuntu + +Role Variables +-------------- + +Available variables are listed below, along with default values (see `defaults/main.yml`): + +``` + filebeat_output_indexer_hosts: + - "localhost:9200" + +``` + +License and copyright +--------------------- + +WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3) + +### Based on previous work from geerlingguy + + - https://github.com/geerlingguy/ansible-role-filebeat + +### Modified by Wazuh + +The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/wazuh/ansible-filebeat-oss/defaults/main.yml b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml new file mode 100644 index 0000000..79d0ff5 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/defaults/main.yml @@ -0,0 +1,28 @@ +--- +filebeat_version: 7.10.2 + +wazuh_template_branch: v4.7.2 + +filebeat_node_name: node-1 + +filebeat_output_indexer_hosts: + - "localhost:9200" + +filebeat_module_package_name: wazuh-filebeat-0.3.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh +indexer_security_user: admin +indexer_security_password: changeme +# Security plugin +filebeat_security: true +filebeat_ssl_dir: /etc/pki/filebeat + +# Local path to store the generated certificates (Opensearch security plugin) +local_certs_path: "{{ playbook_dir }}/indexer/certificates" + +filebeatrepo: + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' \ No newline at end of file diff --git a/roles/wazuh/ansible-filebeat-oss/handlers/main.yml b/roles/wazuh/ansible-filebeat-oss/handlers/main.yml new file mode 100644 index 0000000..96e15a2 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart filebeat + service: name=filebeat state=restarted diff --git a/roles/wazuh/ansible-filebeat-oss/meta/main.yml b/roles/wazuh/ansible-filebeat-oss/meta/main.yml new file mode 100644 index 0000000..4fd7e90 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/meta/main.yml @@ -0,0 +1,29 @@ +--- +dependencies: [] + +galaxy_info: + author: Wazuh + description: Installing and maintaining Filebeat-oss. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - 6 + - 7 + - name: Fedora + versions: + - all + - name: Debian + versions: + - jessie + - name: Ubuntu + versions: + - precise + - trusty + - xenial + galaxy_tags: + - web + - system + - monitoring diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml new file mode 100644 index 0000000..638dbcf --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/Debian.yml @@ -0,0 +1,23 @@ +--- +- name: Debian/Ubuntu | Install apt-transport-https, ca-certificates and acl + apt: + name: + - apt-transport-https + - ca-certificates + - acl + state: present + register: filebeat_ca_packages_install + until: filebeat_ca_packages_install is succeeded + +- name: Debian/Ubuntu | Add Elasticsearch apt key. + apt_key: + url: "{{ filebeatrepo.gpg }}" + id: "{{ filebeatrepo.key_id }}" + state: present + +- name: Debian/Ubuntu | Add Filebeat-oss repository. + apt_repository: + repo: "{{ filebeatrepo.apt }}" + state: present + update_cache: true + changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml new file mode 100644 index 0000000..a51e3f7 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RMDebian.yml @@ -0,0 +1,6 @@ +--- +- name: Debian/Ubuntu | Remove Filebeat repository (and clean up left-over metadata) + apt_repository: + repo: "{{ filebeatrepo.apt }}" + state: absent + changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml new file mode 100644 index 0000000..abf858f --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: RedHat/CentOS/Fedora | Remove Filebeat repository (and clean up left-over metadata) + yum_repository: + name: wazuh_repo + state: absent + changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml new file mode 100644 index 0000000..bdf4519 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/RedHat.yml @@ -0,0 +1,9 @@ +--- +- name: RedHat/CentOS/Fedora/Amazon Linux | Install Filebeats repo + yum_repository: + name: wazuh_repo + description: Wazuh Repo + baseurl: "{{ filebeatrepo.yum }}" + gpgkey: "{{ filebeatrepo.gpg }}" + gpgcheck: true + changed_when: false diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/config.yml b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml new file mode 100644 index 0000000..c6dcbe9 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/config.yml @@ -0,0 +1,22 @@ +--- +- block: + - name: Copy Filebeat configuration. + template: + src: filebeat.yml.j2 + dest: "/etc/filebeat/filebeat.yml" + owner: root + group: root + mode: 0400 + notify: restart filebeat + + - name: Fetch latest Wazuh alerts template + get_url: + url: https://raw.githubusercontent.com/wazuh/wazuh/{{ wazuh_template_branch }}/extensions/elasticsearch/7.x/wazuh-template.json + dest: "/etc/filebeat/wazuh-template.json" + owner: root + group: root + mode: 0400 + notify: restart filebeat + + tags: + - configure diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/main.yml b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml new file mode 100644 index 0000000..0e47cb3 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- include_vars: ../../vars/repo_vars.yml + +- include_vars: ../../vars/repo.yml + when: packages_repository == 'production' + +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- include_tasks: Debian.yml + when: ansible_os_family == 'Debian' + +- name: Install Filebeat | Redhat + yum: + name: "filebeat-{{ filebeat_version }}" + state: present + register: install + tags: + - install + - init + when: ansible_os_family == 'RedHat' + +- name: Install Filebeat | Debian + apt: + name: "filebeat={{ filebeat_version }}" + state: present + register: install + tags: + - install + - init + until: "install is not failed" + retries: 10 + delay: 10 + when: ansible_os_family == 'Debian' + +- name: Checking if Filebeat Module folder file exists + stat: + path: "{{ filebeat_module_folder }}" + register: filebeat_module_folder + +- name: Download Filebeat module package + get_url: + url: "{{ filebeat_module_package_url }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_package_path }}" + when: not filebeat_module_folder.stat.exists + +- name: Unpack Filebeat module package + unarchive: + src: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + dest: "{{ filebeat_module_destination }}" + remote_src: yes + when: not filebeat_module_folder.stat.exists + +- name: Setting 0755 permission for Filebeat module folder + file: dest={{ filebeat_module_folder }} mode=u=rwX,g=rwX,o=rwX recurse=yes + when: not filebeat_module_folder.stat.exists + +- name: Checking if Filebeat Module package file exists + stat: + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + register: filebeat_module_package + when: filebeat_module_package is not defined + +- name: Delete Filebeat module package file + file: + state: absent + path: "{{ filebeat_module_package_path }}/{{ filebeat_module_package_name }}" + when: filebeat_module_package.stat.exists + +- import_tasks: config.yml + notify: restart filebeat + +- include_tasks: security_actions.yml + when: filebeat_security + +- name: Ensure Filebeat is started and enabled at boot. + service: + name: filebeat + state: started + enabled: true + +- include_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + +- include_tasks: "RMDebian.yml" + when: ansible_os_family == "Debian" diff --git a/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml new file mode 100644 index 0000000..e4fe6c4 --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/tasks/security_actions.yml @@ -0,0 +1,26 @@ +- block: + + - name: Ensure Filebeat SSL key pair directory exists. + file: + path: "{{ filebeat_ssl_dir }}" + state: directory + owner: root + group: root + mode: 500 + + - name: Copy the certificates from local to the Manager instance + copy: + src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}" + dest: "{{ filebeat_ssl_dir }}" + owner: root + group: root + mode: 400 + with_items: + - "{{ filebeat_node_name }}-key.pem" + - "{{ filebeat_node_name }}.pem" + - "root-ca.pem" + + tags: + - security + when: + - filebeat_security diff --git a/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 new file mode 100644 index 0000000..a9da9db --- /dev/null +++ b/roles/wazuh/ansible-filebeat-oss/templates/filebeat.yml.j2 @@ -0,0 +1,42 @@ +# Wazuh - Filebeat configuration file +filebeat.modules: + - module: wazuh + alerts: + enabled: true + archives: + enabled: false + +setup.template.json.enabled: true +setup.template.json.path: '/etc/filebeat/wazuh-template.json' +setup.template.json.name: 'wazuh' +setup.template.overwrite: true +setup.ilm.enabled: false + +# Send events directly to Wazuh indexer +output.elasticsearch: + hosts: +{% for item in filebeat_output_indexer_hosts %} + - {{ item }} +{% endfor %} + +{% if filebeat_security %} + username: {{ indexer_security_user }} + password: "{{ indexer_security_password }}" + protocol: https + ssl.certificate_authorities: + - {{ filebeat_ssl_dir }}/root-ca.pem + ssl.certificate: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}.pem" + ssl.key: "{{ filebeat_ssl_dir }}/{{ filebeat_node_name }}-key.pem" +{% endif %} + +# Optional. Send events to Logstash instead of Wazuh indexer +#output.logstash.hosts: ["YOUR_LOGSTASH_SERVER_IP:5000"] + +logging.metrics.enabled: false + +seccomp: + default_action: allow + syscalls: + - action: allow + names: + - rseq diff --git a/roles/wazuh/ansible-filebeat/defaults/main.yml b/roles/wazuh/ansible-filebeat/defaults/main.yml new file mode 100644 index 0000000..61cbfc4 --- /dev/null +++ b/roles/wazuh/ansible-filebeat/defaults/main.yml @@ -0,0 +1,36 @@ +--- +filebeat_version: 7.10.2 + +wazuh_template_branch: v4.4.1 + +filebeat_create_config: true + +filebeat_node_name: node-1 + +filebeat_output_elasticsearch_hosts: + - "localhost:9200" + +filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat +filebeat_module_package_name: wazuh-filebeat-0.1.tar.gz +filebeat_module_package_path: /tmp/ +filebeat_module_destination: /usr/share/filebeat/module +filebeat_module_folder: /usr/share/filebeat/module/wazuh + +# Xpack Security +filebeat_xpack_security: false + +elasticsearch_xpack_security_user: elastic +elasticsearch_xpack_security_password: elastic_pass + +node_certs_destination: /etc/filebeat/certs + +# CA Generation +master_certs_path: "{{ playbook_dir }}/es_certs" +generate_CA: true +ca_cert_name: "" + +elasticrepo: + apt: 'https://artifacts.elastic.co/packages/7.x/apt' + yum: 'https://artifacts.elastic.co/packages/7.x/yum' + gpg: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' + key_id: '46095ACC8548582C1A2699A9D27D666CD88E42B4' diff --git a/roles/wazuh/ansible-wazuh-agent/README.md b/roles/wazuh/ansible-wazuh-agent/README.md new file mode 100644 index 0000000..baf7e57 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/README.md @@ -0,0 +1,58 @@ +Ansible Playbook - Wazuh agent +============================== + +This role will install and configure a Wazuh Agent. + +OS Requirements +---------------- + +This role is compatible with: + * Red Hat + * CentOS + * Fedora + * Debian + * Ubuntu + + +Role Variables +-------------- + +* `wazuh_managers`: Collection of Wazuh Managers' IP address, port, and protocol used by the agent +* `wazuh_agent_authd`: Collection with the settings to register an agent using authd. + +Playbook example +---------------- + +The following is an example of how this role can be used: + + - hosts: all:!wazuh-manager + roles: + - ansible-wazuh-agent + vars: + wazuh_managers: + - address: 127.0.0.1 + port: 1514 + protocol: tcp + api_port: 55000 + api_proto: 'http' + api_user: 'ansible' + wazuh_agent_authd: + registration_address: 127.0.0.1 + enable: true + port: 1515 + ssl_agent_ca: null + ssl_auto_negotiate: 'no' + + +License and copyright +--------------------- + +WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3) + +### Based on previous work from dj-wasabi + + - https://github.com/dj-wasabi/ansible-ossec-server + +### Modified by Wazuh + +The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/wazuh/ansible-wazuh-agent/defaults/main.yml b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml new file mode 100644 index 0000000..da90982 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/defaults/main.yml @@ -0,0 +1,376 @@ +--- +wazuh_agent_version: 4.7.2 + +# Custom packages installation + +wazuh_custom_packages_installation_agent_enabled: false +wazuh_custom_packages_installation_agent_deb_url: "" +wazuh_custom_packages_installation_agent_rpm_url: "" + +# Sources installation + +wazuh_agent_sources_installation: + enabled: false + branch: "v4.7.2" + user_language: "y" + user_no_stop: "y" + user_install_type: "agent" + user_dir: "/var/ossec" + user_delete_dir: "y" + user_enable_active_response: "y" + user_enable_syscheck: "y" + user_enable_rootcheck: "y" + user_enable_openscap: "n" + user_enable_sca: "y" + user_enable_authd: "y" + user_generate_authd_cert: "n" + user_update: "y" + user_binaryinstall: null + user_agent_server_ip: "YOUR_MANAGER_IP" + user_agent_server_name: null + user_agent_config_profile: null + user_ca_store: "{{ wazuh_dir }}/wpk_root.pem" + +wazuh_agent_yum_lock_timeout: 30 + +# We recommend the use of ansible-vault to protect Wazuh, api, agentless and authd credentials. +api_pass: wazuh +authd_pass: '' + +wazuh_api_reachable_from_agent: yes +wazuh_profile_centos: 'centos, centos7, centos7.6' +wazuh_profile_ubuntu: 'ubuntu, ubuntu18, ubuntu18.04' +wazuh_auto_restart: 'yes' + +wazuh_notify_time: '10' +wazuh_time_reconnect: '60' +wazuh_crypto_method: 'aes' +wazuh_winagent_config: + download_dir: C:\ + install_dir: C:\Program Files\ossec-agent\ + install_dir_x86: C:\Program Files (x86)\ossec-agent\ + auth_path: C:\Program Files\ossec-agent\agent-auth.exe + # Adding quotes to auth_path_x86 since win_shell outputs error otherwise + auth_path_x86: C:\'Program Files (x86)'\ossec-agent\agent-auth.exe + check_sha512: True + +wazuh_dir: "/var/ossec" + +# This is deprecated, see: wazuh_agent_address +wazuh_agent_nat: false + +########################################## +### Wazuh +########################################## + +wazuh_agent_nolog_sensible: yes +wazuh_agent_config_overlay: yes + +# This is a middle ground between breaking existing uses of wazuh_agent_nat +# and allow working with agents having several network interfaces +wazuh_agent_address: '{{ "any" if wazuh_agent_nat else ansible_default_ipv4.address }}' + +# List of managers. The first one with register variable declared *and* set to true +# is the one used to register the agent. Otherwise, the first one in the list will be used. +wazuh_managers: + - address: 127.0.0.1 + port: 1514 + protocol: tcp + api_port: 55000 + api_proto: https + api_user: wazuh + max_retries: 5 + retry_interval: 5 + register: yes + +## Authentication Method: Enrollment section (4.x) + +# For more information see: +# * https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment + +wazuh_agent_enrollment: + enabled: 'yes' + manager_address: '' + port: 1515 + agent_name: '' + groups: '' + agent_address: '' + ssl_ciphers: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH + server_ca_path: '' + agent_certificate_path: '' + agent_key_path: '' + authorization_pass_path: "{{ wazuh_dir }}/etc/authd.pass" + auto_method: 'no' + delay_after_enrollment: 20 + use_source_ip: 'no' + +## Authentication Method: invoking agent-auth + +# For more information see: +# * https://documentation.wazuh.com/current/user-manual/registering/password-authorization-registration.html + +wazuh_agent_authd: + registration_address: 127.0.0.1 + enable: false + port: 1515 + agent_name: null + groups: [] + ssl_agent_ca: null + ssl_agent_cert: null + ssl_agent_key: null + ssl_auto_negotiate: 'no' + +## Authentication Method: REST API + +# For more information see: +# * https://documentation.wazuh.com/current/user-manual/registering/restful-api-registration.html +wazuh_agent_api_validate: yes + +## Client buffer +wazuh_agent_client_buffer: + disable: 'no' + queue_size: '5000' + events_per_sec: '500' + +## Rootcheck +wazuh_agent_rootcheck: + frequency: 43200 + +## Wodles +wazuh_agent_openscap: + disable: 'yes' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + +wazuh_agent_cis_cat: + disable: 'yes' + install_java: 'no' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + java_path: 'wodles/java' + java_path_win: '\\server\jre\bin\java.exe' + ciscat_path: 'wodles/ciscat' + ciscat_path_win: 'C:\cis-cat' + +wazuh_agent_osquery: + disable: 'yes' + run_daemon: 'yes' + bin_path_win: 'C:\Program Files\osquery\osqueryd' + log_path: '/var/log/osquery/osqueryd.results.log' + log_path_win: 'C:\Program Files\osquery\log\osqueryd.results.log' + config_path: '/etc/osquery/osquery.conf' + config_path_win: 'C:\Program Files\osquery\osquery.conf' + add_labels: 'yes' + +wazuh_agent_syscollector: + disable: 'no' + interval: '1h' + scan_on_start: 'yes' + hardware: 'yes' + os: 'yes' + network: 'yes' + packages: 'yes' + ports_no: 'yes' + processes: 'yes' + +## SCA +wazuh_agent_sca: + enabled: 'yes' + scan_on_start: 'yes' + interval: '12h' + skip_nfs: 'yes' + day: '' + wday: '' + time: '' + +## Syscheck +wazuh_agent_syscheck: + frequency: 43200 + scan_on_start: 'yes' + auto_ignore: 'no' + win_audit_interval: 60 + skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 + ignore: + - /etc/mtab + - /etc/hosts.deny + - /etc/mail/statistics + - /etc/random-seed + - /etc/random.seed + - /etc/adjtime + - /etc/httpd/logs + - /etc/utmpx + - /etc/wtmpx + - /etc/cups/certs + - /etc/dumpdates + - /etc/svc/volatile + ignore_linux_type: + - '.log$|.swp$' + ignore_win: + - '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' + no_diff: + - /etc/ssl/private.key + directories: + - dirs: /etc,/usr/bin,/usr/sbin + checks: '' + - dirs: /bin,/sbin,/boot + checks: '' + win_directories: + - dirs: '%WINDIR%' + checks: 'recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$"' + - dirs: '%WINDIR%\SysNative' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$| + net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$" + - dirs: '%WINDIR%\SysNative\drivers\etc%' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\SysNative\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\SysNative\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\SysNative' + checks: 'recursion_level="0" restrict="winrm.vbs$"' + - dirs: '%WINDIR%\System32' + checks: >- + recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$| + netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$" + - dirs: '%WINDIR%\System32\drivers\etc' + checks: 'recursion_level="0"' + - dirs: '%WINDIR%\System32\wbem' + checks: 'recursion_level="0" restrict="WMIC.exe$"' + - dirs: '%WINDIR%\System32\WindowsPowerShell\v1.0' + checks: 'recursion_level="0" restrict="powershell.exe$"' + - dirs: '%WINDIR%\System32' + checks: 'recursion_level="0" restrict="winrm.vbs$"' + - dirs: '%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup' + checks: 'realtime="yes"' + windows_registry: + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' + - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Policies' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Security' + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services' + - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs' + - key: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg' + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' + arch: "both" + - key: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components' + arch: "both" + windows_registry_ignore: + - key: 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' + - key: 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' + - key: '\Enum$' + type: "sregex" + +## Localfile +wazuh_agent_localfiles: + debian: + - format: 'syslog' + location: '/var/log/auth.log' + - format: 'syslog' + location: '/var/log/syslog' + - format: 'syslog' + location: '/var/log/dpkg.log' + - format: 'syslog' + location: '/var/log/kern.log' + centos: + - format: 'syslog' + location: '/var/log/messages' + - format: 'syslog' + location: '/var/log/secure' + - format: 'syslog' + location: '/var/log/maillog' + - format: 'audit' + location: '/var/log/audit/audit.log' + linux: + - format: 'syslog' + location: "{{ wazuh_dir }}/logs/active-responses.log" + - format: 'full_command' + command: 'last -n 20' + frequency: '360' + - format: 'command' + command: df -P + frequency: '360' + - format: 'full_command' + command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + alias: 'netstat listening ports' + frequency: '360' + windows: + - format: 'eventlog' + location: 'Application' + - format: 'eventchannel' + location: 'Security' + query: 'Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]' + - format: 'eventlog' + location: 'System' + - format: 'syslog' + location: 'active-response\active-responses.log' + +## Labels +wazuh_agent_labels: + enable: false + list: + - key: Env + value: Production + +## Active response +wazuh_agent_active_response: + ar_disabled: 'no' + ca_store: "{{ wazuh_dir }}/etc/wpk_root.pem" + ca_store_win: 'wpk_root.pem' + ca_verification: 'yes' + +## Logging +wazuh_agent_log_format: 'plain' + +# wazuh_agent_config +wazuh_agent_config_defaults: + repo: '{{ wazuh_repo }}' + active_response: '{{ wazuh_agent_active_response }}' + log_format: '{{ wazuh_agent_log_format }}' + client_buffer: '{{ wazuh_agent_client_buffer }}' + syscheck: '{{ wazuh_agent_syscheck }}' + + rootcheck: '{{ wazuh_agent_rootcheck }}' + openscap: '{{ wazuh_agent_openscap }}' + + osquery: '{{ wazuh_agent_osquery }}' + syscollector: '{{ wazuh_agent_syscollector }}' + sca: '{{ wazuh_agent_sca }}' + cis_cat: '{{ wazuh_agent_cis_cat }}' + localfiles: '{{ wazuh_agent_localfiles }}' + + labels: '{{ wazuh_agent_labels }}' + enrollment: '{{ wazuh_agent_enrollment }}' diff --git a/roles/wazuh/ansible-wazuh-agent/handlers/main.yml b/roles/wazuh/ansible-wazuh-agent/handlers/main.yml new file mode 100644 index 0000000..84f3ff4 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart wazuh-agent + service: name=wazuh-agent state=restarted enabled=yes + +- name: Windows | Restart Wazuh Agent + win_service: name=WazuhSvc start_mode=auto state=restarted diff --git a/roles/wazuh/ansible-wazuh-agent/meta/main.yml b/roles/wazuh/ansible-wazuh-agent/meta/main.yml new file mode 100644 index 0000000..7cd460c --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/meta/main.yml @@ -0,0 +1,23 @@ +--- +galaxy_info: + author: Wazuh + description: Installing, deploying and configuring Wazuh Agent. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + galaxy_tags: + - monitoring +dependencies: [] diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml new file mode 100644 index 0000000..ac49a71 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Debian.yml @@ -0,0 +1,109 @@ +--- +- name: Update apt-get repo and cache + apt: + update_cache: yes + force_apt_get: yes + cache_valid_time: 3600 + +- name: Debian/Ubuntu | Install ca-certificates and gnupg + apt: + name: + - ca-certificates + - gnupg + state: present + register: wazuh_agent_ca_package_install + until: wazuh_agent_ca_package_install is succeeded + +- name: Debian/Ubuntu | Install apt-transport-https and acl + apt: + name: + - apt-transport-https + - acl + state: present + register: wazuh_agent_ca_package_install + until: wazuh_agent_ca_package_install is succeeded + when: not (ansible_distribution == "Debian" and ansible_distribution_major_version in ['11']) + +- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14) + become: true + shell: | + set -o pipefail + curl -s {{ wazuh_agent_config.repo.gpg }} | apt-key add - + args: + warn: false + executable: /bin/bash + changed_when: false + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + +- name: Debian/Ubuntu | Installing Wazuh repository key + apt_key: + url: "{{ wazuh_agent_config.repo.gpg }}" + id: "{{ wazuh_agent_config.repo.key_id }}" + when: + - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + +- name: Debian/Ubuntu | Add Wazuh repositories + apt_repository: + filename: wazuh_repo + repo: "{{ wazuh_agent_config.repo.apt }}" + state: present + update_cache: true + when: + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + +- name: Debian/Ubuntu | Set Distribution CIS filename for debian + set_fact: + cis_distribution_filename: cis_debian_linux_rcl.txt + when: ansible_os_family == "Debian" + +- name: Debian/Ubuntu | Install OpenJDK-8 repo + apt_repository: + repo: 'ppa:openjdk-r/ppa' + state: present + update_cache: true + when: + - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) + +- when: + - wazuh_agent_config.cis_cat.disable == 'no' + - wazuh_agent_config.cis_cat.install_java == 'yes' + block: + - name: Debian/Ubuntu | Install OpenJDK 1.8 + apt: name=openjdk-8-jre state=present cache_valid_time=3600 + tags: + - init + +- name: Debian/Ubuntu | Install OpenScap + apt: + name: + - libopenscap8 + - xsltproc + state: present + when: wazuh_agent_config.openscap.disable == 'no' + tags: + - init + register: wazuh_agent_OpenScap_package_install + until: wazuh_agent_OpenScap_package_install is succeeded + +- name: Debian/Ubuntu | Get OpenScap installed version + shell: "dpkg-query --showformat='${Version}' --show libopenscap8" + register: openscap_version + changed_when: false + when: wazuh_agent_config.openscap.disable == 'no' + tags: + - config + +- name: Debian/Ubuntu | Check OpenScap version + shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" + register: openscap_version_valid + changed_when: false + when: wazuh_agent_config.openscap.disable == 'no' + tags: + - config diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml new file mode 100644 index 0000000..99913e7 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Linux.yml @@ -0,0 +1,279 @@ +--- +- include_tasks: "RedHat.yml" + when: ansible_os_family == "RedHat" + +- include_tasks: "Debian.yml" + when: ansible_os_family == "Debian" + +- include_tasks: "installation_from_sources.yml" + when: + - wazuh_agent_sources_installation.enabled + +- include_tasks: "installation_from_custom_packages.yml" + when: + - wazuh_custom_packages_installation_agent_enabled + +- name: Linux CentOS/RedHat | Install wazuh-agent + yum: + name: wazuh-agent-{{ wazuh_agent_version }} + state: present + lock_timeout: '{{ wazuh_agent_yum_lock_timeout }}' + when: + - ansible_os_family|lower == "redhat" + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + tags: + - init + +- name: Linux Debian | Install wazuh-agent + apt: + name: "wazuh-agent={{ wazuh_agent_version }}-*" + state: present + cache_valid_time: 3600 + when: + - ansible_os_family|lower != "redhat" + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + - not ansible_check_mode + tags: + - init + +- name: Linux | Check if client.keys exists + stat: + path: "{{ wazuh_dir }}/etc/client.keys" + register: client_keys_file + tags: + - config + +- name: Linux | Agent registration via authd + block: + + - name: Copy CA root certificate to verify authd + copy: + src: "{{ wazuh_agent_authd.ssl_agent_ca }}" + dest: "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" + mode: 0644 + when: + - wazuh_agent_authd.ssl_agent_ca is not none + + - name: Copy TLS/SSL certificate for agent verification + copy: + src: "{{ item }}" + dest: "{{ wazuh_dir }}/etc/{{ item | basename }}" + mode: 0644 + with_items: + - "{{ wazuh_agent_authd.ssl_agent_cert }}" + - "{{ wazuh_agent_authd.ssl_agent_key }}" + when: + - wazuh_agent_authd.ssl_agent_cert is not none + - wazuh_agent_authd.ssl_agent_key is not none + + - name: Linux | Register agent (via authd) + shell: > + {{ wazuh_dir }}/bin/agent-auth + {% if wazuh_agent_authd.agent_name is defined and wazuh_agent_authd.agent_name != None %} + -A {{ wazuh_agent_authd.agent_name }} + {% endif %} + -m {{ wazuh_agent_authd.registration_address }} + -p {{ wazuh_agent_authd.port }} + {% if wazuh_agent_nat %} -I "any" {% endif %} + {% if authd_pass | length > 0 %} -P {{ authd_pass }} {% endif %} + {% if wazuh_agent_authd.ssl_agent_ca is defined and wazuh_agent_authd.ssl_agent_ca != None %} + -v "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_ca | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_agent_cert is defined and wazuh_agent_authd.ssl_agent_cert != None %} + -x "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_cert | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_agent_key is defined and wazuh_agent_authd.ssl_agent_key != None %} + -k "{{ wazuh_dir }}/etc/{{ wazuh_agent_authd.ssl_agent_key | basename }}" + {% endif %} + {% if wazuh_agent_authd.ssl_auto_negotiate == 'yes' %} -a {% endif %} + {% if wazuh_agent_authd.groups is defined and wazuh_agent_authd.groups | length > 0 %} + -G "{{ wazuh_agent_authd.groups | join(',') }}" + {% endif %} + register: agent_auth_output + notify: restart wazuh-agent + vars: + agent_name: "{% if single_agent_name is defined %}{{ single_agent_name }}{% else %}{{ ansible_hostname }}{% endif %}" + when: + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 + - wazuh_agent_authd.registration_address is not none + + - name: Linux | Verify agent registration + shell: echo {{ agent_auth_output }} | grep "Valid key received" + when: + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 + - wazuh_agent_authd.registration_address is not none + + when: + - wazuh_agent_authd.enable | bool + - wazuh_agent_config.enrollment.enabled != 'yes' + tags: + - config + - authd + +- name: Linux | Agent registration via rest-API + block: + + - name: Establish target Wazuh Manager for registration task + set_fact: + target_manager: '{{ manager_primary | length | ternary(manager_primary, manager_fallback) | first }}' + vars: + manager_primary: "{{ wazuh_managers | selectattr('register','true') | list }}" + manager_fallback: "{{ wazuh_managers | list }}" + + - name: Linux | Obtain JWT Token + uri: + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/security/user/authenticate' + method: POST + url_username: '{{ target_manager.api_user }}' + url_password: '{{ api_pass }}' + status_code: 200 + return_content: yes + force_basic_auth: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' + changed_when: api_jwt_result.json.error == 0 + register: api_jwt_result + become: no + tags: + - config + - api + + - name: Linux | Create the agent key via rest-API + uri: + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents' + method: POST + body_format: json + body: + name: '{{ agent_name }}' + ip: '{{ wazuh_agent_address }}' + force_time: 1 + headers: + Authorization: 'Bearer {{ jwt_token }}' + status_code: 200 + return_content: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' + become: no + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' + changed_when: api_agent_post.json.error == 0 + register: api_agent_post + vars: + agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' + jwt_token: '{{ api_jwt_result.json.data.token }}' + tags: + - config + - api + + - name: Linux | Validate registered agent key matches manager record + uri: + url: '{{ target_manager.api_proto }}://{{ target_manager.address }}:{{ target_manager.api_port }}/agents/{{ agent_id }}/key' + method: GET + headers: + Authorization: 'Bearer {{ jwt_token }}' + status_code: 200 + return_content: yes + validate_certs: '{{ target_manager.validate_certs | default(false) }}' + become: no + no_log: '{{ wazuh_agent_nolog_sensible | bool }}' + delegate_to: '{{ inventory_hostname if wazuh_api_reachable_from_agent else "localhost" }}' + register: api_agent_validation + vars: + agent_id: '{{ api_agent_post.json.data.id }}' + agent_key: '{{ api_agent_post.json.data.key }}' + jwt_token: '{{ api_jwt_result.json.data.token }}' + failed_when: api_agent_validation.json.data.affected_items[0].key != agent_key + when: + - wazuh_agent_api_validate | bool + - api_agent_post.json.error == 0 + tags: + - config + - api + + - name: Linux | Import Key (via rest-API) + command: "{{ wazuh_dir }}/bin/manage_agents" + environment: + OSSEC_ACTION: i + OSSEC_AGENT_NAME: '{{ agent_name }}' + OSSEC_AGENT_IP: '{{ wazuh_agent_address }}' + OSSEC_AGENT_ID: '{{ api_agent_post.json.data.id }}' + OSSEC_AGENT_KEY: '{{ api_agent_post.json.data.key }}' + OSSEC_ACTION_CONFIRMED: y + register: manage_agents_output + vars: + agent_name: '{{ target_manager.agent_name | default(ansible_hostname) }}' + notify: restart wazuh-agent + when: + - not ( wazuh_agent_authd.enable | bool ) + - wazuh_agent_config.enrollment.enabled != 'yes' + - not client_keys_file.stat.exists or client_keys_file.stat.size == 0 + tags: + - config + - api + +- name: Linux | Agent registration via auto-enrollment + debug: + msg: Agent registration will be performed through enrollment option in templated ossec.conf + when: wazuh_agent_config.enrollment.enabled == 'yes' + +- name: Linux | Ensure group "wazuh" exists + ansible.builtin.group: + name: wazuh + state: present + +- name: Linux | Installing agent configuration (ossec.conf) + template: + src: var-ossec-etc-ossec-agent.conf.j2 + dest: "{{ wazuh_dir }}/etc/ossec.conf" + owner: root + group: wazuh + mode: 0644 + notify: restart wazuh-agent + tags: + - init + - config + +- name: Linux | Installing local_internal_options.conf + template: + src: var-ossec-etc-local-internal-options.conf.j2 + dest: "{{ wazuh_dir }}/etc/local_internal_options.conf" + owner: root + group: wazuh + mode: 0640 + notify: restart wazuh-agent + tags: + - init + - config + +- name: Create auto-enrollment password file + template: + src: authd_pass.j2 + dest: "{{ wazuh_dir }}/etc/authd.pass" + owner: wazuh + group: wazuh + mode: 0640 + when: + - wazuh_agent_config.enrollment.enabled == 'yes' + - wazuh_agent_config.enrollment.authorization_pass_path | length > 0 + - authd_pass | length > 0 + tags: + - config + +- name: Linux | Ensure Wazuh Agent service is started and enabled + service: + name: wazuh-agent + enabled: true + state: started + tags: config + +- include_tasks: "RMRedHat.yml" + when: + - ansible_os_family == "RedHat" + - not wazuh_agent_sources_installation.enabled + +- include_tasks: "RMDebian.yml" + when: + - ansible_os_family == "Debian" + - not wazuh_agent_sources_installation.enabled diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml b/roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml new file mode 100644 index 0000000..9999a7d --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/RMDebian.yml @@ -0,0 +1,6 @@ +--- +- name: Remove Wazuh repository (and clean up left-over metadata) + apt_repository: + repo: "{{ wazuh_agent_config.repo.apt }}" + state: absent + changed_when: false diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml b/roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml new file mode 100644 index 0000000..32bc6fc --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: Remove Wazuh repository (and clean up left-over metadata) + yum_repository: + name: wazuh_repo + state: absent + changed_when: false diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml new file mode 100644 index 0000000..17d97c9 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/RedHat.yml @@ -0,0 +1,68 @@ +--- +- name: RedHat/CentOS 5 | Install Wazuh repo + yum_repository: + name: wazuh_repo + description: Wazuh repository + baseurl: "{{ wazuh_agent_config.repo.yum }}5/" + gpgkey: "{{ wazuh_agent_config.repo.gpg }}-5" + gpgcheck: true + changed_when: false + when: + - (ansible_facts['os_family']|lower == 'redhat') and (ansible_distribution|lower != 'amazon') + - (ansible_distribution_major_version|int <= 5) + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + register: repo_v5_installed + +- name: RedHat/CentOS/Fedora | Install Wazuh repo + yum_repository: + name: wazuh_repo + description: Wazuh repository + baseurl: "{{ wazuh_agent_config.repo.yum }}" + gpgkey: "{{ wazuh_agent_config.repo.gpg }}" + gpgcheck: true + changed_when: false + when: + - repo_v5_installed is skipped + - not wazuh_agent_sources_installation.enabled + - not wazuh_custom_packages_installation_agent_enabled + +- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 + yum: name=java-1.8.0-openjdk state=present + when: + - wazuh_agent_config.cis_cat.disable == 'no' + - wazuh_agent_config.cis_cat.install_java == 'yes' + tags: + - init + +- name: Set Distribution CIS filename for RHEL5 + set_fact: + cis_distribution_filename: cis_rhel5_linux_rcl.txt + when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "5" + +- name: Set Distribution CIS filename for RHEL6 + set_fact: + cis_distribution_filename: cis_rhel6_linux_rcl.txt + when: ansible_os_family == "RedHat" and ansible_distribution_major_version == "6" + +- name: Set Distribution CIS filename for RHEL7 + set_fact: + cis_distribution_filename: cis_rhel7_linux_rcl.txt + when: + - ansible_os_family == "RedHat" + - ansible_distribution_major_version == "7" + +- name: Set Distribution CIS filename for RHEL7 (Amazon) + set_fact: + cis_distribution_filename: cis_rhel7_linux_rcl.txt + when: + - ansible_distribution == "Amazon" + - ansible_distribution_major_version == "NA" + +- name: RedHat/CentOS/RedHat | Install openscap + package: name=openscap-scanner state=present + register: wazuh_agent_openscap_package_install + until: wazuh_agent_openscap_package_install is succeeded + when: wazuh_agent_config.openscap.disable == 'no' + tags: + - init diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml new file mode 100644 index 0000000..f312253 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/Windows.yml @@ -0,0 +1,114 @@ +--- +- name: Windows | Check if Program Files (x86) exists + win_stat: + path: C:\Program Files (x86) + register: check_path + +- name: Windows | Set Win Path (x86) + set_fact: + wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir_x86 }}" + wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path_x86 }}" + when: + - check_path.stat.exists + +- name: Windows | Set Win Path (x64) + set_fact: + wazuh_agent_win_path: "{{ wazuh_winagent_config.install_dir }}" + wazuh_agent_win_auth_path: "{{ wazuh_winagent_config.auth_path }}" + when: + - not check_path.stat.exists + +- name: Windows | Check if Wazuh installer is already downloaded + win_stat: + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" + register: wazuh_package_downloaded + +- name: Windows | Download Wazuh Agent package + win_get_url: + url: "{{ wazuh_winagent_config_url }}" + dest: "{{ wazuh_winagent_config.download_dir }}" + when: + - not wazuh_package_downloaded.stat.exists + +- name: Windows | Download SHA512 checksum file + win_get_url: + url: "{{ wazuh_winagent_sha512_url }}" + dest: "{{ wazuh_winagent_config.download_dir }}" + when: + - wazuh_winagent_config.check_sha512 + +- name: Extract checksum from SHA512 file + win_shell: Get-Content "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" | ForEach-Object { $_.Split(' ')[0] } + register: extracted_checksum + when: + - wazuh_winagent_config.check_sha512 + +- name: Windows | Verify the Wazuh Agent installer + win_stat: + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" + get_checksum: true + checksum_algorithm: sha512 + register: wazuh_agent_status + failed_when: + - wazuh_agent_status.stat.checksum != extracted_checksum.stdout_lines[0] + when: + - wazuh_winagent_config.check_sha512 + +- name: Windows | Install Agent if not already installed + win_package: + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" + state: present + +- name: Windows | Check if client.keys exists + win_stat: + path: "{{ wazuh_agent_win_path }}client.keys" + register: check_windows_key + tags: + - config + +- name: Windows | Register agent + win_shell: > + {{ wazuh_agent_win_auth_path }} + -m {{ wazuh_agent_authd.registration_address }} + -p {{ wazuh_agent_authd.port }} + {% if wazuh_agent_authd.agent_name is not none %}-A {{ wazuh_agent_authd.agent_name }} {% endif %} + {% if authd_pass | length > 0 %} -P {{ authd_pass }}{% endif %} + register: agent_auth_output + notify: Windows | Restart Wazuh Agent + when: + - wazuh_agent_authd.enable | bool + - not check_windows_key.stat.exists or check_windows_key.stat.size == 0 + - wazuh_agent_authd.registration_address is not none + tags: + - config + +- name: Windows | Check if ossec folder is accessible + win_file: + path: "{{ wazuh_agent_win_path }}" + state: directory + +- name: Windows | Installing agent configuration (ossec.conf) + template: # noqa 208 + src: var-ossec-etc-ossec-agent.conf.j2 + dest: "{{ wazuh_agent_win_path }}ossec.conf" + notify: Windows | Restart Wazuh Agent + tags: + - config + +- name: Windows | Installing local_internal_options.conf + template: + src: var-ossec-etc-local-internal-options.conf.j2 + dest: "{{ wazuh_agent_win_path }}local_internal_options.conf" + notify: Windows | Restart Wazuh Agent + tags: + - config + +- name: Windows | Delete downloaded Wazuh agent installer file + win_file: + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}" + state: absent + +- name: Windows | Delete downloaded checksum file + win_file: + path: "{{ wazuh_winagent_config.download_dir }}{{ wazuh_winagent_package_name }}.sha512" + state: absent diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml new file mode 100644 index 0000000..aa50004 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_custom_packages.yml @@ -0,0 +1,28 @@ +--- + - name: Install Wazuh Agent from .deb packages + apt: + deb: "{{ wazuh_custom_packages_installation_agent_deb_url }}" + state: present + when: + - ansible_os_family|lower == "debian" + - wazuh_custom_packages_installation_agent_enabled + + - name: Install Wazuh Agent from .rpm packages | yum + yum: + name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}" + state: present + when: + - ansible_os_family|lower == "redhat" + - wazuh_custom_packages_installation_agent_enabled + - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") + - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + + - name: Install Wazuh Agent from .rpm packages | dnf + dnf: + name: "{{ wazuh_custom_packages_installation_agent_rpm_url }}" + state: present + when: + - ansible_os_family|lower == "redhat" + - wazuh_custom_packages_installation_agent_enabled + - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or + (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml new file mode 100644 index 0000000..fbfecd5 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/installation_from_sources.yml @@ -0,0 +1,100 @@ +--- + - name: Install dependencies to build Wazuh packages + package: + name: + - make + - gcc + - automake + - autoconf + - libtool + - tar + state: present + + - name: Removing old files + file: + path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz" + state: absent + + - name: Removing old folders + file: + path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}" + state: absent + + - name: Installing policycoreutils-python (RedHat families) + package: + name: + - policycoreutils-python + when: + - ansible_os_family|lower == "redhat" + + - name: Installing policycoreutils-python-utils (Debian families) + package: + name: + - libc6-dev + - curl + - policycoreutils + when: + - ansible_os_family|lower == "debian" + + - name: Download required packages from github.com/wazuh/wazuh + get_url: + url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_agent_sources_installation.branch }}.tar.gz" + dest: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz" + delegate_to: "{{ inventory_hostname }}" + changed_when: false + + - name: Create folder to extract Wazuh branch + file: + path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}" + mode: 0755 + state: directory + changed_when: false + + - name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip + command: >- + tar -xzvf /tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz + --strip 1 + --directory /tmp/wazuh-{{ wazuh_agent_sources_installation.branch }} + register: wazuh_untar + changed_when: false + args: + warn: false + + - name: Clean remaining files from others builds + command: "make -C src {{ item }}" + args: + chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/src/" + with_items: + - "clean" + - "clean-deps" + register: clean_result + changed_when: clean_result.rc == 0 + failed_when: false + + - name: Render the "preloaded-vars.conf" file + template: + src: "templates/preloaded_vars_agent.conf.j2" + dest: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}/etc/preloaded-vars.conf" + owner: root + group: root + mode: 0644 + changed_when: false + + - name: Executing "install.sh" script to build and install the Wazuh Agent + shell: ./install.sh > /tmp/build_agent_log.txt + register: installation_result + changed_when: installation_result == 0 + args: + chdir: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}" + + - name: Cleanup downloaded files + file: + path: "/tmp/{{ wazuh_agent_sources_installation.branch }}.tar.gz" + state: absent + changed_when: false + + - name: Cleanup created folders + file: + path: "/tmp/wazuh-{{ wazuh_agent_sources_installation.branch }}" + state: absent + changed_when: false \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/tasks/main.yml b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml new file mode 100644 index 0000000..d12446b --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +- include_vars: ../../vars/repo_vars.yml + +- include_vars: ../../vars/repo.yml + when: packages_repository == 'production' + +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' + +- name: Overlay wazuh_agent_config on top of defaults + set_fact: + wazuh_agent_config: '{{ wazuh_agent_config_defaults | combine(config_layer, recursive=True) }}' + vars: + config_layer: '{{ wazuh_agent_config | default({}) }}' + when: wazuh_agent_config_overlay | bool + +- include_tasks: "Windows.yml" + when: ansible_os_family == "Windows" + +- include_tasks: "Linux.yml" + when: ansible_system == "Linux" diff --git a/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 b/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 new file mode 100644 index 0000000..97a481f --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/templates/authd_pass.j2 @@ -0,0 +1 @@ +{{ authd_pass }} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 new file mode 100644 index 0000000..0887b36 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/templates/preloaded_vars_agent.conf.j2 @@ -0,0 +1,7 @@ +{% for key, value in wazuh_agent_sources_installation.items() %} +{% if "user_" in key %} +{% if value is defined and value is not none %} +{{ key|upper }}="{{ value }}" +{% endif %} +{% endif %} +{% endfor %} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 new file mode 100644 index 0000000..81979e5 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-local-internal-options.conf.j2 @@ -0,0 +1,16 @@ +# local_internal_options.conf +# +# This file should be handled with care. It contains +# run time modifications that can affect the use +# of OSSEC. Only change it if you know what you +# are doing. Look first at ossec.conf +# for most of the things you want to change. +# +# This file will not be overwritten during upgrades. + +# This is the template of Ansible for the file local_internal_options.conf +# In this file you could include the configuration settings for your agents + +# Logcollector - If it should accept remote commands from the manager +logcollector.remote_commands=1 + diff --git a/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 new file mode 100644 index 0000000..8eef3d1 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-agent/templates/var-ossec-etc-ossec-agent.conf.j2 @@ -0,0 +1,450 @@ +#jinja2: lstrip_blocks: True + + + + + + {% for manager in wazuh_managers %} + +
{{ manager.address }}
+ {% if manager.port is defined %} + {{ manager.port }} + {% endif %} + {% if manager.protocol is defined %} + {{ manager.protocol }} + {% endif %} + {% if manager.max_retries is defined and manager.retry_interval is defined %} + {{ manager.max_retries }} + {{ manager.retry_interval }} + {% endif %} + + {% endfor %} + {% if wazuh_profile_centos is not none or wazuh_profile_ubuntu is not none %} + {% if ansible_distribution == 'CentOS' %} + {{ wazuh_profile_centos }} + {% elif ansible_distribution == "Ubuntu" %} + {{ wazuh_profile_ubuntu }} + {% endif %} + {% endif %} + {% if wazuh_notify_time is not none and wazuh_time_reconnect is not none %} + {{ wazuh_notify_time }} + {{ wazuh_time_reconnect }} + {% endif %} + {{ wazuh_auto_restart }} + {{ wazuh_crypto_method }} + + {% if wazuh_agent_config.enrollment.enabled == 'yes' %} + + {{ wazuh_agent_config.enrollment.enabled }} + {% if wazuh_agent_config.enrollment.manager_address | length > 0 %} + {{ wazuh_agent_config.enrollment.manager_address }} + {% endif %} + {% if wazuh_agent_config.enrollment.agent_name | length > 0 %} + {{ wazuh_agent_config.enrollment.agent_name }} + {% endif %} + {% if wazuh_agent_config.enrollment.port is defined > 0 %} + {{ wazuh_agent_config.enrollment.port }} + {% endif %} + {% if wazuh_agent_config.enrollment.groups | length > 0 %} + {{ wazuh_agent_config.enrollment.groups }} + {% endif %} + {% if wazuh_agent_config.enrollment.agent_address | length > 0 %} + {{ wazuh_agent_config.enrollment.agent_address }} + {% endif %} + {% if wazuh_agent_config.enrollment.server_ca_path | length > 0 %} + {{ wazuh_agent_config.enrollment.server_ca_path }} + {% endif %} + {% if wazuh_agent_config.enrollment.agent_certificate_path | length > 0 %} + {{ wazuh_agent_config.enrollment.agent_certificate_path }} + {% endif %} + {% if wazuh_agent_config.enrollment.agent_key_path | length > 0 %} + {{ wazuh_agent_config.enrollment.agent_key_path }} + {% endif %} + {% if wazuh_agent_config.enrollment.authorization_pass_path | length > 0 %} + {{ wazuh_agent_config.enrollment.authorization_pass_path }} + {% endif %} + {% if wazuh_agent_config.enrollment.auto_method | length > 0 %} + {{ wazuh_agent_config.enrollment.auto_method }} + {% endif %} + {% if wazuh_agent_config.enrollment.delay_after_enrollment is defined > 0 %} + {{ wazuh_agent_config.enrollment.delay_after_enrollment }} + {% endif %} + {% if wazuh_agent_config.enrollment.use_source_ip | length > 0 %} + {{ wazuh_agent_config.enrollment.use_source_ip }} + {% endif %} + + {% endif %} + + + + + + {{ wazuh_agent_config.client_buffer.disable }} + {{ wazuh_agent_config.client_buffer.queue_size }} + {{ wazuh_agent_config.client_buffer.events_per_sec }} + + + {% if wazuh_agent_config.rootcheck is defined %} + + no + {% if ansible_system == "Linux" %} + yes + yes + yes + yes + yes + yes + yes + + + {{ wazuh_agent_config.rootcheck.frequency }} + + {{ wazuh_dir }}/etc/shared/rootkit_files.txt + {{ wazuh_dir }}/etc/shared/rootkit_trojans.txt + yes + {% endif %} + {% if ansible_os_family == "Windows" %} + ./shared/win_applications_rcl.txt + ./shared/win_malware_rcl.txt + {% endif %} + + + {% endif %} + + + {% if ansible_system == "Linux" and wazuh_agent_config.openscap.disable == 'no' %} + + {{ wazuh_agent_config.openscap.disable }} + {{ wazuh_agent_config.openscap.timeout }} + {{ wazuh_agent_config.openscap.interval }} + {{ wazuh_agent_config.openscap.scan_on_start }} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %} + + xccdf_org.ssgproject.content_profile_common + + {% elif ansible_distribution == 'Debian' %} + {% if ansible_distribution_release == 'jessie' %} + {% if openscap_version_valid.stdout == "0" %} + + xccdf_org.ssgproject.content_profile_common + + + {% endif %} + {% elif ansible_distribution_release == 'stretch' %} + + {% endif %} + {% elif ansible_distribution == 'CentOS' %} + {% if ansible_distribution_major_version == '8' %} + {# Policy not available #} + {% elif ansible_distribution_major_version == '7' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% elif ansible_distribution_major_version == '6' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% endif %} + {% elif ansible_distribution == 'RedHat' %} + {% if ansible_distribution_major_version == '8' %} + {# Policy not available #} + {% elif ansible_distribution_major_version == '7' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% elif ansible_distribution_major_version == '6' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% endif %} + {% if ansible_distribution_major_version == '7' %} + + {% elif ansible_distribution_major_version == '6' %} + + {% endif %} + {% elif ansible_distribution == 'Fedora' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% endif %} + + {% endif %} + + + {{ wazuh_agent_config.cis_cat.disable }} + {{ wazuh_agent_config.cis_cat.timeout }} + {{ wazuh_agent_config.cis_cat.interval }} + {{ wazuh_agent_config.cis_cat.scan_on_start }} + {% if wazuh_agent_config.cis_cat.install_java == 'yes' and ansible_system == "Linux" %} + /usr/bin + {% elif ansible_os_family == "Windows" %} + {{ wazuh_agent_config.cis_cat.java_path_win }} + {% else %} + {{ wazuh_agent_config.cis_cat.java_path }} + {% endif %} + {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.cis_cat.ciscat_path_win }}{% else %}{{ wazuh_agent_config.cis_cat.ciscat_path }}{% endif %} + + + + + {{ wazuh_agent_config.osquery.disable }} + {{ wazuh_agent_config.osquery.run_daemon }} + {% if ansible_os_family == "Windows" %} + {{ wazuh_agent_config.osquery.bin_path_win }} + {% endif %} + {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.log_path_win }}{% else %}{{ wazuh_agent_config.osquery.log_path }}{% endif %} + {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.osquery.config_path_win }}{% else %}{{ wazuh_agent_config.osquery.config_path }}{% endif %} + {{ wazuh_agent_config.osquery.add_labels }} + + + + + {{ wazuh_agent_config.syscollector.disable }} + {{ wazuh_agent_config.syscollector.interval }} + {{ wazuh_agent_config.syscollector.scan_on_start }} + {{ wazuh_agent_config.syscollector.hardware }} + {{ wazuh_agent_config.syscollector.os }} + {{ wazuh_agent_config.syscollector.network }} + {{ wazuh_agent_config.syscollector.packages }} + {{ wazuh_agent_config.syscollector.ports_no }} + {{ wazuh_agent_config.syscollector.processes }} + + + + {% if wazuh_agent_config.sca.enabled | length > 0 %} + {{ wazuh_agent_config.sca.enabled }} + {% endif %} + {% if wazuh_agent_config.sca.scan_on_start | length > 0 %} + {{ wazuh_agent_config.sca.scan_on_start }} + {% endif %} + {% if wazuh_agent_config.sca.interval | length > 0 %} + {{ wazuh_agent_config.sca.interval }} + {% endif %} + {% if wazuh_agent_config.sca.skip_nfs | length > 0 %} + yes + {% endif %} + {% if wazuh_agent_config.sca.day | length > 0 %} + {{ wazuh_agent_config.sca.day }} + {% endif %} + {% if wazuh_agent_config.sca.wday | length > 0 %} + {{ wazuh_agent_config.sca.wday }} + {% endif %} + {% if wazuh_agent_config.sca.time | length > 0 %} + + {% endif %} + + + + + {% if wazuh_agent_config.syscheck is defined %} + + no + {{ wazuh_agent_config.syscheck.frequency }} + {% if ansible_system == "Linux" %} + {{ wazuh_agent_config.syscheck.scan_on_start }} + + {% if wazuh_agent_config.syscheck.directories is defined and ansible_system == "Linux" %} + {% for directory in wazuh_agent_config.syscheck.directories %} + {{ directory.dirs }} + {% endfor %} + {% endif %} + {% endif %} + + + {% if wazuh_agent_config.syscheck.win_directories is defined and ansible_os_family == "Windows" %} + {% for directory in wazuh_agent_config.syscheck.win_directories %} + {{ directory.dirs }} + {% endfor %} + {% endif %} + + + {% if wazuh_agent_config.syscheck.ignore is defined and ansible_system == "Linux" %} + {% for ignore in wazuh_agent_config.syscheck.ignore %} + {{ ignore }} + {% endfor %} + {% endif %} + + + {% if wazuh_agent_config.syscheck.ignore_linux_type is defined %} + {% for ignore in wazuh_agent_config.syscheck.ignore_linux_type %} + {{ ignore }} + {% endfor %} + {% endif %} + + {% if wazuh_agent_config.syscheck.ignore is defined and ansible_os_family == "Windows" %} + {% for ignore in wazuh_agent_config.syscheck.ignore_win %} + {{ ignore }} + {% endfor %} + {% endif %} + + {% if ansible_system == "Linux" %} + + {% for no_diff in wazuh_agent_config.syscheck.no_diff %} + {{ no_diff }} + {% endfor %} + + {{ wazuh_agent_config.syscheck.skip_nfs }} + {{ wazuh_agent_config.syscheck.skip_dev }} + {{ wazuh_agent_config.syscheck.skip_proc }} + {{ wazuh_agent_config.syscheck.skip_sys }} + {% endif %} + + {% if ansible_os_family == "Windows" %} + {% for registry_key in wazuh_agent_config.syscheck.windows_registry %} + {% if registry_key.arch is defined %} + {{ registry_key.key }} + {% else %} + {{ registry_key.key }} + {% endif %} + {% endfor %} + {% endif %} + + {% if ansible_os_family == "Windows" %} + {% for registry_key in wazuh_agent_config.syscheck.windows_registry_ignore %} + {% if registry_key.type is defined %} + {{ registry_key.key }} + {% else %} + {{ registry_key.key }} + {% endif %} + {% endfor %} + {% endif %} + + {% if ansible_os_family == "Windows" %} + + {{ wazuh_agent_config.syscheck.win_audit_interval }} + {% endif %} + + + {{ wazuh_agent_config.syscheck.process_priority }} + + + {{ wazuh_agent_config.syscheck.max_eps }} + + + + {{ wazuh_agent_config.syscheck.sync_enabled }} + {{ wazuh_agent_config.syscheck.sync_interval }} + {{ wazuh_agent_config.syscheck.sync_max_interval }} + {{ wazuh_agent_config.syscheck.sync_max_eps }} + + + {% endif %} + + + {% if ansible_system == "Linux" %} + {% for localfile in wazuh_agent_config.localfiles.linux %} + + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {{ localfile.frequency }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'json' %} + {% for label in localfile.label %} + + {% endfor %} + {% endif %} + {% endif %} + + {% endfor %} + {% endif %} + + {% if ansible_os_family == "Debian" %} + {% for localfile in wazuh_agent_config.localfiles.debian %} + + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {{ localfile.frequency }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'json' %} + {% for label in localfile.label %} + + {% endfor %} + {% endif %} + {% endif %} + + {% endfor %} + {% endif %} + + {% if ansible_os_family == "RedHat" %} + {% for localfile in wazuh_agent_config.localfiles.centos %} + + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {{ localfile.frequency }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'json' %} + {% for label in localfile.label %} + + {% endfor %} + {% endif %} + {% endif %} + + {% endfor %} + {% endif %} + + {% if ansible_os_family == "Windows" %} + {% for localfile in wazuh_agent_config.localfiles.windows %} + + + {{ localfile.format }} + {% if localfile.format == 'eventchannel' %} + {{ localfile.location }} + {{ localfile.query}} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'json' %} + {% for label in localfile.label %} + + {% endfor %} + {% endif %} + {% endif %} + + {% endfor %} + {% endif %} + +{% if wazuh_agent_config.labels.enable == true %} + + {% for label in wazuh_agent_config.labels.list %} + + {% endfor %} + +{% endif %} + + + {{ wazuh_agent_config.active_response.ar_disabled|default('no') }} + {% if ansible_os_family == "Windows" %}{{ wazuh_agent_config.active_response.ca_store_win }}{% else %}{{ wazuh_agent_config.active_response.ca_store }}{% endif %} + {{ wazuh_agent_config.active_response.ca_verification }} + + + + {{ wazuh_agent_config.log_format }} + + + diff --git a/roles/wazuh/ansible-wazuh-manager/README.md b/roles/wazuh/ansible-wazuh-manager/README.md new file mode 100644 index 0000000..38f0bf8 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/README.md @@ -0,0 +1,229 @@ +Ansible Playbook - Wazuh manager +================================ + +This role will install the Wazuh manager on a host. + +Requirements +------------ + +This role will work on: + * Red Hat + * CentOS + * Fedora + * Debian + * Ubuntu + +Role Variables +-------------- + +This role has some variables which you can or need to override. +``` +wazuh_manager_fqdn: ~ +wazuh_manager_config: [] +shared_agent_config: [] +``` + +Vault variables +---------------- + +### vars/agentless_creds.yml +This file has the agenless credentials. +``` +--- + agentless_creds: + - type: ssh_integrity_check_linux + frequency: 3600 + host: root@example.net + state: periodic + arguments: '/bin /etc/ /sbin' + passwd: qwerty +``` + +### vars/wazuh_api_creds.yml +This file has user and password created in httpasswd format. +``` +--- +wazuh_api_user: + - "foo:$apr1$/axqZYWQ$Xo/nz/IG3PdwV82EnfYKh/" +``` + +### vars/authd_pass.yml +This file has the password to be used for the authd daemon. +``` +--- +authd_pass: foobar +``` + +Default config +-------------- + +### defaults/main.yml +``` +--- +wazuh_manager_fqdn: "wazuh-server" + +wazuh_manager_config: + json_output: 'yes' + alerts_log: 'yes' + logall: 'no' + authd: + enable: false + email_notification: no + mail_to: + - admin@example.net + mail_smtp_server: localhost + mail_from: wazuh-server@example.com + syscheck: + frequency: 43200 + scan_on_start: 'yes' + ignore: + - /etc/mtab + - /etc/mnttab + - /etc/hosts.deny + - /etc/mail/statistics + - /etc/random-seed + - /etc/random.seed + - /etc/adjtime + - /etc/httpd/logs + - /etc/utmpx + - /etc/wtmpx + - /etc/cups/certs + - /etc/dumpdates + - /etc/svc/volatile + no_diff: + - /etc/ssl/private.key + directories: + - dirs: /etc,/usr/bin,/usr/sbin + checks: 'check_all="yes"' + - dirs: /bin,/sbin + checks: 'check_all="yes"' + rootcheck: + frequency: 43200 + openscap: + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + log_level: 1 + email_level: 12 + localfiles: + - format: 'syslog' + location: '/var/log/messages' + - format: 'syslog' + location: '/var/log/secure' + - format: 'command' + command: 'df -P' + frequency: '360' + - format: 'full_command' + command: 'netstat -tln | grep -v 127.0.0.1 | sort' + frequency: '360' + - format: 'full_command' + command: 'last -n 20' + frequency: '360' + globals: + - '127.0.0.1' + - '192.168.2.1' + connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + commands: + - name: 'disable-account' + executable: 'disable-account.sh' + expect: 'user' + timeout_allowed: 'yes' + - name: 'restart-ossec' + executable: 'restart-ossec.sh' + expect: '' + timeout_allowed: 'no' + - name: 'firewall-drop' + executable: 'firewall-drop.sh' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'host-deny' + executable: 'host-deny.sh' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'route-null' + executable: 'route-null.sh' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'win_route-null' + executable: 'route-null.cmd' + expect: 'srcip' + timeout_allowed: 'yes' + active_responses: + - command: 'host-deny' + location: 'local' + level: 6 + timeout: 600 + +shared_agent_config: + - type: os + type_value: linux + frequency_check: 79200 + ignore_files: + - /etc/mtab + - /etc/mnttab + - /etc/hosts.deny + - /etc/mail/statistics + - /etc/svc/volatile + directories: + - check_all: yes + dirs: /etc,/usr/bin,/usr/sbin + - check_all: yes + dirs: /bin,/sbin + localfiles: + - format: 'syslog' + location: '/var/log/messages' + - format: 'syslog' + location: '/var/log/secure' + - format: 'syslog' + location: '/var/log/maillog' + - format: 'apache' + location: '/var/log/httpd/error_log' + - format: 'apache' + location: '/var/log/httpd/access_log' + - format: 'apache' + location: '/var/ossec/logs/active-responses.log' +``` + +#### Custom variables: +You can create a YAML file and change the default variables for this role, to later using it with `-e` option in `ansible-playbooks`, for example: + +``` +--- +wazuh_manager_fqdn: "wazuh-server" + +wazuh_manager_config: + email_notification: yes + mail_to: + - myadmin@mydomain.com + mail_smtp_server: mysmtp.mydomain.com +``` + +Dependencies +------------ + +No dependencies. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: wazuh-server.example.com + roles: + - { role: ansible-wazuh-server } + +License and copyright +--------------------- + +WAZUH Copyright (C) 2016, Wazuh Inc. (License GPLv3) + +### Based on previous work from dj-wasabi + + - https://github.com/dj-wasabi/ansible-ossec-server + +### Modified by Wazuh + +The playbooks have been modified by Wazuh, including some specific requirements, templates and configuration to improve integration with Wazuh ecosystem. diff --git a/roles/wazuh/ansible-wazuh-manager/defaults/main.yml b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml new file mode 100644 index 0000000..310520c --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/defaults/main.yml @@ -0,0 +1,538 @@ +--- +wazuh_manager_version: 4.7.2 + +wazuh_manager_fqdn: "wazuh-server" +wazuh_manager_package_state: present + +# Custom packages installation +wazuh_custom_packages_installation_manager_enabled: false +wazuh_custom_packages_installation_manager_deb_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" +wazuh_custom_packages_installation_manager_rpm_url: "https://s3-us-west-1.amazonaws.com/packages-dev.wazuh.com/" + +# Sources installation +wazuh_manager_sources_installation: + enabled: false + branch: "v4.7.2" + user_language: "en" + user_no_stop: "y" + user_install_type: "server" + user_dir: "/var/ossec" + user_delete_dir: null + user_enable_active_response: null + user_enable_syscheck: "y" + user_enable_rootcheck: "y" + user_enable_openscap: "n" + user_enable_authd: "y" + user_generate_authd_cert: null + user_update: "y" + user_binaryinstall: null + user_enable_email: "n" + user_auto_start: "y" + user_email_address: null + user_email_smpt: null + user_enable_syslog: "n" + user_white_list: "n" + user_ca_store: null + threads: "2" + +wazuh_dir: "/var/ossec" + +########################################## +### Wazuh-OSSEC +########################################## + +# groups to create +agent_groups: [] + +## Global +wazuh_manager_json_output: 'yes' +wazuh_manager_alerts_log: 'yes' +wazuh_manager_logall: 'no' +wazuh_manager_logall_json: 'no' + +wazuh_manager_email_notification: 'no' +wazuh_manager_mailto: + - 'admin@example.net' + +wazuh_manager_email_smtp_server: smtp.example.wazuh.com +wazuh_manager_email_from: wazuh@example.wazuh.com +wazuh_manager_email_maxperhour: 12 +wazuh_manager_email_queue_size: 131072 +wazuh_manager_email_log_source: 'alerts.log' + +wazuh_manager_globals: + - '127.0.0.1' + - '^localhost.localdomain$' + - '127.0.0.53' + +wazuh_manager_agent_disconnection_time: '20s' +wazuh_manager_agents_disconnection_alert_time: '100s' + +## Alerts +wazuh_manager_log_level: 3 +wazuh_manager_email_level: 12 + +## Logging +wazuh_manager_log_format: 'plain' + +## Email alerts +wazuh_manager_extra_emails: + - enable: false + mail_to: 'recipient@example.wazuh.com' + format: full + level: 7 + event_location: null + group: null + do_not_delay: false + do_not_group: false + rule_id: null + + +## Remote +wazuh_manager_connection: + - type: 'secure' + port: '1514' + protocol: 'tcp' + queue_size: 131072 + +## Reports +wazuh_manager_reports: + - enable: false + category: 'syscheck' + title: 'Daily report: File changes' + email_to: 'recipient@example.wazuh.com' + location: null + group: null + rule: null + level: null + srcip: null + user: null + showlogs: null + +## Woodles +wazuh_manager_rootcheck: + frequency: 43200 + +wazuh_manager_openscap: + disable: 'yes' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + +wazuh_manager_ciscat: + disable: 'yes' + install_java: 'yes' + timeout: 1800 + interval: '1d' + scan_on_start: 'yes' + java_path: '/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/bin' + ciscat_path: 'wodles/ciscat' + +wazuh_manager_osquery: + disable: 'yes' + run_daemon: 'yes' + log_path: '/var/log/osquery/osqueryd.results.log' + config_path: '/etc/osquery/osquery.conf' + ad_labels: 'yes' + +wazuh_manager_syscollector: + disable: 'no' + interval: '1h' + scan_on_start: 'yes' + hardware: 'yes' + os: 'yes' + network: 'yes' + packages: 'yes' + ports_no: 'yes' + processes: 'yes' + +wazuh_manager_monitor_aws: + disabled: 'yes' + interval: '10m' + run_on_start: 'yes' + skip_on_error: 'yes' + s3: + - name: null + bucket_type: null + path: null + only_logs_after: null + access_key: null + secret_key: null + +## SCA +wazuh_manager_sca: + enabled: 'yes' + scan_on_start: 'yes' + interval: '12h' + skip_nfs: 'yes' + day: '' + wday: '' + time: '' + +## Vulnerability Detector +wazuh_manager_vulnerability_detector: + enabled: 'no' + interval: '5m' + min_full_scan_interval: '6h' + run_on_start: 'yes' + providers: + - enabled: 'no' + os: + - 'trusty' + - 'xenial' + - 'bionic' + - 'focal' + - 'jammy' + update_interval: '1h' + name: '"canonical"' + - enabled: 'no' + os: + - 'buster' + - 'bullseye' + - 'bookworm' + update_interval: '1h' + name: '"debian"' + - enabled: 'no' + os: + - '5' + - '6' + - '7' + - '8' + - '9' + update_interval: '1h' + name: '"redhat"' + - enabled: 'no' + os: + - '8' + - '9' + update_interval: '1h' + name: '"almalinux"' + - enabled: 'no' + os: + - 'amazon-linux' + - 'amazon-linux-2' + - 'amazon-linux-2023' + update_interval: '1h' + name: '"alas"' + - enabled: 'no' + os: + - '11-server' + - '11-desktop' + - '12-server' + - '12-desktop' + - '15-server' + - '15-desktop' + update_interval: '1h' + name: '"suse"' + - enabled: 'no' + update_interval: '1h' + name: '"arch"' + - enabled: 'no' + update_interval: '1h' + name: '"msu"' + - enabled: 'no' + update_interval: '1h' + name: '"nvd"' + +## Syscheck +wazuh_manager_syscheck: + disable: 'no' + frequency: 43200 + scan_on_start: 'yes' + auto_ignore: 'no' + ignore: + - /etc/mtab + - /etc/hosts.deny + - /etc/mail/statistics + - /etc/random-seed + - /etc/random.seed + - /etc/adjtime + - /etc/httpd/logs + - /etc/utmpx + - /etc/wtmpx + - /etc/cups/certs + - /etc/dumpdates + - /etc/svc/volatile + ignore_linux_type: + - '.log$|.swp$' + no_diff: + - /etc/ssl/private.key + directories: + - dirs: /etc,/usr/bin,/usr/sbin + checks: '' + - dirs: /bin,/sbin,/boot + checks: '' + auto_ignore_frequency: + frequency: 'frequency="10"' + timeframe: 'timeframe="3600"' + value: 'no' + skip_nfs: 'yes' + skip_dev: 'yes' + skip_proc: 'yes' + skip_sys: 'yes' + process_priority: 10 + max_eps: 100 + sync_enabled: 'yes' + sync_interval: '5m' + sync_max_interval: '1h' + sync_max_eps: 10 + +## Command +wazuh_manager_commands: + - name: 'disable-account' + executable: 'disable-account' + timeout_allowed: 'yes' + - name: 'restart-wazuh' + executable: 'restart-wazuh' + - name: 'firewall-drop' + executable: 'firewall-drop' + expect: 'srcip' + timeout_allowed: 'yes' + - name: 'host-deny' + executable: 'host-deny' + timeout_allowed: 'yes' + - name: 'route-null' + executable: 'route-null' + timeout_allowed: 'yes' + - name: 'win_route-null' + executable: 'route-null.exe' + timeout_allowed: 'yes' + - name: 'netsh' + executable: 'netsh.exe' + timeout_allowed: 'yes' + +## Localfile +wazuh_manager_localfiles: + common: + - format: 'command' + command: df -P + frequency: '360' + - format: 'full_command' + command: netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + alias: 'netstat listening ports' + frequency: '360' + - format: 'full_command' + command: 'last -n 20' + frequency: '360' + - format: 'syslog' + location: "{{ wazuh_dir }}/logs/active-responses.log" + debian: + - format: 'syslog' + location: '/var/log/auth.log' + - format: 'syslog' + location: '/var/log/syslog' + - format: 'syslog' + location: '/var/log/dpkg.log' + - format: 'syslog' + location: '/var/log/kern.log' + centos: + - format: 'syslog' + location: '/var/log/messages' + - format: 'syslog' + location: '/var/log/secure' + - format: 'syslog' + location: '/var/log/maillog' + - format: 'audit' + location: '/var/log/audit/audit.log' + +## Syslog outputs +wazuh_manager_syslog_outputs: + - server: null + port: null + format: null + +## Integrations +wazuh_manager_integrations: + # slack + - name: null + hook_url: '' + alert_level: 10 + alert_format: 'json' + rule_id: null + # pagerduty + - name: null + api_key: '' + alert_level: 12 + +## Labels +wazuh_manager_labels: + enable: false + list: + - key: Env + value: Production + +## Ruleset +wazuh_manager_ruleset: + rules_path: 'custom_ruleset/rules/' + decoders_path: 'custom_ruleset/decoders/' + cdb_lists: + - 'audit-keys' + - 'security-eventchannel' + - 'amazon/aws-eventnames' + +wazuh_manager_rule_exclude: + - '0215-policy_rules.xml' + +## Auth +wazuh_manager_authd: + enable: true + port: 1515 + use_source_ip: 'no' + force: + enabled: 'yes' + key_mismatch: 'yes' + disconnected_time: '1h' + after_registration_time: '1h' + purge: 'yes' + use_password: 'no' + ciphers: 'HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH' + ssl_agent_ca: null + ssl_verify_host: 'no' + ssl_manager_cert: 'sslmanager.cert' + ssl_manager_key: 'sslmanager.key' + ssl_auto_negotiate: 'no' + +## Cluster +wazuh_manager_cluster: + disable: 'yes' + name: 'wazuh' + node_name: 'manager_01' + node_type: 'master' + key: 'ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa' + port: '1516' + bind_addr: '0.0.0.0' + nodes: + - 'manager' + hidden: 'no' + +## Wazuh API setup +wazuh_manager_api: + bind_addr: 0.0.0.0 + port: 55000 + behind_proxy_server: no + https: yes + https_key: "api/configuration/ssl/server.key" + https_cert: "api/configuration/ssl/server.crt" + https_use_ca: False + https_ca: "api/configuration/ssl/ca.crt" + logging_level: "info" + logging_path: "logs/api.log" + cors: no + cors_source_route: "*" + cors_expose_headers: "*" + cors_allow_headers: "*" + cors_allow_credentials: no + cache: yes + cache_time: 0.750 + access_max_login_attempts: 5 + access_block_time: 300 + access_max_request_per_minute: 300 + drop_privileges: yes + experimental_features: no + remote_commands_localfile: yes + remote_commands_localfile_exceptions: [] + remote_commands_wodle: yes + remote_commands_wodle_exceptions: [] +# wazuh_api_users: +# - username: custom-user +# password: .S3cur3Pa55w0rd*- # Must comply with requirements (8+ length, uppercase, lowercase, specials chars) + +# NOTE: As wazuh_manager_config is built dynamically per playbooks and ansible.cfg provided in the repo, +# we should also cover the case for partial settings in inventory variables overlayed on top of role's +# defaults with merge hash_behaviour. If you do a full replace instead of the hash_behaviour, set this to false. +# +# Please do notice this behaviour is deprecated in 2.13 and role will move away from it in future versions: +# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour +# +wazuh_manager_config_overlay: true + +## Other/Wrappers +wazuh_manager_config_defaults: + repo: '{{ wazuh_repo }}' + json_output: '{{ wazuh_manager_json_output }}' + alerts_log: '{{ wazuh_manager_alerts_log }}' + logall: '{{ wazuh_manager_logall }}' + logall_json: '{{ wazuh_manager_logall_json }}' + log_format: '{{ wazuh_manager_log_format }}' + api: '{{ wazuh_manager_api }}' + cluster: '{{ wazuh_manager_cluster }}' + connection: '{{ wazuh_manager_connection }}' + authd: '{{ wazuh_manager_authd }}' + email_notification: '{{ wazuh_manager_email_notification }}' + mail_to: '{{ wazuh_manager_mailto }}' + mail_smtp_server: '{{ wazuh_manager_email_smtp_server }}' + mail_from: '{{ wazuh_manager_email_from }}' + mail_maxperhour: '{{ wazuh_manager_email_maxperhour }}' + mail_queue_size: '{{ wazuh_manager_email_queue_size }}' + email_log_source: '{{ wazuh_manager_email_log_source }}' + extra_emails: '{{ wazuh_manager_extra_emails }}' + reports: '{{ wazuh_manager_reports}}' + syscheck: '{{ wazuh_manager_syscheck }}' + rootcheck: '{{ wazuh_manager_rootcheck }}' + openscap: '{{ wazuh_manager_openscap }}' + cis_cat: '{{ wazuh_manager_ciscat }}' + osquery: '{{ wazuh_manager_osquery }}' + syscollector: '{{ wazuh_manager_syscollector }}' + sca: '{{ wazuh_manager_sca }}' + vulnerability_detector: '{{ wazuh_manager_vulnerability_detector }}' + log_level: '{{ wazuh_manager_log_level }}' + email_level: '{{ wazuh_manager_email_level }}' + localfiles: '{{ wazuh_manager_localfiles }}' + globals: '{{ wazuh_manager_globals }}' + commands: '{{ wazuh_manager_commands }}' + ruleset: '{{ wazuh_manager_ruleset }}' + rule_exclude: '{{ wazuh_manager_rule_exclude }}' + syslog_outputs: '{{ wazuh_manager_syslog_outputs }}' + integrations: '{{ wazuh_manager_integrations }}' + monitor_aws: '{{ wazuh_manager_monitor_aws }}' + labels: '{{ wazuh_manager_labels }}' + agents_disconnection_time: '{{ wazuh_manager_agent_disconnection_time }}' + agents_disconnection_alert_time: '{{ wazuh_manager_agents_disconnection_alert_time }}' + +# shared-agent.conf + +# shared_agent_config: +# - type: os +# type_value: Linux +# syscheck: +# frequency: 43200 +# scan_on_start: 'yes' +# ignore: +# - /etc/mtab +# - /etc/mnttab +# - /etc/hosts.deny +# - /etc/mail/statistics +# - /etc/svc/volatile +# no_diff: +# - /etc/ssl/private.key +# rootcheck: +# frequency: 43200 +# cis_distribution_filename: null +# localfiles: +# - format: 'syslog' +# location: '/var/log/messages' +# - format: 'syslog' +# location: '/var/log/secure' +# - format: 'syslog' +# location: '/var/log/maillog' +# - format: 'apache' +# location: '/var/log/httpd/error_log' +# - format: 'apache' +# location: '/var/log/httpd/access_log' +# - format: 'apache' +# location: "{{ wazuh_dir }}/logs/active-responses.log" +# - type: os +# type_value: Windows +# syscheck: +# frequency: 43200 +# scan_on_start: 'yes' +# auto_ignore: 'no' +# windows_registry: +# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile' +# arch: 'both' +# - key: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder' +# localfiles: +# - location: 'Security' +# format: 'eventchannel' +# - location: 'System' +# format: 'eventlog' diff --git a/roles/wazuh/ansible-wazuh-manager/files/create_user.py b/roles/wazuh/ansible-wazuh-manager/files/create_user.py new file mode 100644 index 0000000..0216d58 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/files/create_user.py @@ -0,0 +1,102 @@ +import logging +import sys +import json +import random +import string +import os + +# Set framework path +sys.path.append(os.path.dirname(sys.argv[0]) + "/../framework") + +USER_FILE_PATH = "/var/ossec/api/configuration/admin.json" +SPECIAL_CHARS = "@$!%*?&-_" + + +try: + from wazuh.rbac.orm import check_database_integrity + from wazuh.security import ( + create_user, + get_users, + get_roles, + set_user_role, + update_user, + ) +except Exception as e: + logging.error("No module 'wazuh' found.") + sys.exit(1) + + +def read_user_file(path=USER_FILE_PATH): + with open(path) as user_file: + data = json.load(user_file) + return data["username"], data["password"] + + +def db_users(): + users_result = get_users() + return {user["username"]: user["id"] for user in users_result.affected_items} + + +def db_roles(): + roles_result = get_roles() + return {role["name"]: role["id"] for role in roles_result.affected_items} + +def disable_user(uid): + random_pass = "".join( + random.choices( + string.ascii_uppercase + + string.ascii_lowercase + + string.digits + + SPECIAL_CHARS, + k=8, + ) + ) + # assure there must be at least one character from each group + random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]]) + random_pass = ''.join(random.sample(random_pass,len(random_pass))) + update_user( + user_id=[ + str(uid), + ], + password=random_pass, + ) + + +if __name__ == "__main__": + if not os.path.exists(USER_FILE_PATH): + # abort if no user file detected + sys.exit(0) + username, password = read_user_file() + + # create RBAC database + check_database_integrity() + + initial_users = db_users() + if username not in initial_users: + # create a new user + create_user(username=username, password=password) + users = db_users() + uid = users[username] + roles = db_roles() + rid = roles["administrator"] + set_user_role( + user_id=[ + str(uid), + ], + role_ids=[ + str(rid), + ], + ) + else: + # modify an existing user ("wazuh" or "wazuh-wui") + uid = initial_users[username] + update_user( + user_id=[ + str(uid), + ], + password=password, + ) + # disable unused default users + #for def_user in ['wazuh', 'wazuh-wui']: + # if def_user != username: + # disable_user(initial_users[def_user]) \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml b/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml new file mode 100644 index 0000000..bf5947c --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/decoders/sample_custom_decoders.xml @@ -0,0 +1,25 @@ + + + + + + + + sample_custom_decoder + diff --git a/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml b/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml new file mode 100644 index 0000000..e5fb356 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/files/custom_ruleset/rules/sample_custom_rules.xml @@ -0,0 +1,18 @@ + + + + + + + + + + 5716 + 1.1.1.1 + sshd: authentication failed from IP 1.1.1.1. + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, + + + diff --git a/roles/wazuh/ansible-wazuh-manager/handlers/main.yml b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml new file mode 100644 index 0000000..faf885b --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: restart wazuh-manager + service: + name: wazuh-manager + state: restarted + enabled: true + +- name: restart wazuh-api + service: + name: wazuh-api + state: restarted + enabled: true diff --git a/roles/wazuh/ansible-wazuh-manager/meta/main.yml b/roles/wazuh/ansible-wazuh-manager/meta/main.yml new file mode 100644 index 0000000..1275d23 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/meta/main.yml @@ -0,0 +1,23 @@ +--- +galaxy_info: + author: Wazuh + description: Installing, deploying and configuring Wazuh Manager. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + galaxy_tags: + - monitoring +dependencies: [] diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml new file mode 100644 index 0000000..1079f8d --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/Debian.yml @@ -0,0 +1,123 @@ +--- +- name: Debian/Ubuntu | Install apt-transport-https, ca-certificates and acl + apt: + name: + - apt-transport-https + - ca-certificates + - gnupg + - acl + state: present + cache_valid_time: 3600 + install_recommends: false + register: wazuh_manager_https_packages_installed + until: wazuh_manager_https_packages_installed is succeeded + +- name: Debian/Ubuntu | Installing Wazuh repository key (Ubuntu 14) + become: true + shell: | + set -o pipefail + curl -s {{ wazuh_manager_config.repo.gpg }} | apt-key add - + args: + warn: false + executable: /bin/bash + changed_when: false + when: + - ansible_distribution == "Ubuntu" + - ansible_distribution_major_version | int == 14 + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + +- name: Debian/Ubuntu | Installing Wazuh repository key + apt_key: + url: "{{ wazuh_manager_config.repo.gpg }}" + id: "{{ wazuh_manager_config.repo.key_id }}" + when: + - not (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + +- name: Debian/Ubuntu | Add Wazuh repositories + apt_repository: + filename: wazuh_repo + repo: "{{ wazuh_manager_config.repo.apt }}" + state: present + update_cache: true + changed_when: false + when: + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + +- name: Debian/Ubuntu | Set Distribution CIS filename for Debian/Ubuntu + set_fact: + cis_distribution_filename: cis_debian_linux_rcl.txt + +- name: Debian/Ubuntu | Install OpenJDK-8 repo + apt_repository: + repo: 'ppa:openjdk-r/ppa' + state: present + update_cache: true + when: + - (ansible_distribution == "Ubuntu" and ansible_distribution_major_version | int == 14) + +- when: + - wazuh_manager_config.cis_cat.disable == 'no' + - wazuh_manager_config.cis_cat.install_java == 'yes' + block: + - name: Debian/Ubuntu | Install OpenJDK 1.8 + apt: name=openjdk-8-jre state=present cache_valid_time=3600 + tags: + - init + +- name: Debian/Ubuntu | Install OpenScap + apt: + name: + - libopenscap8 + - xsltproc + state: present + cache_valid_time: 3600 + install_recommends: false + register: wazuh_manager_openscap_installed + until: wazuh_manager_openscap_installed is succeeded + when: wazuh_manager_config.openscap.disable == 'no' + tags: + - init + +- name: Debian/Ubuntu | Get OpenScap installed version + shell: "dpkg-query --showformat='${Version}' --show libopenscap8" + when: wazuh_manager_config.openscap.disable == 'no' + register: openscap_version + changed_when: false + tags: + - config + +- name: Debian/Ubuntu | Check OpenScap version + shell: "dpkg --compare-versions '{{ openscap_version.stdout }}' '>=' '1.2'; echo $?" + when: wazuh_manager_config.openscap.disable == 'no' + register: openscap_version_valid + changed_when: false + tags: + - config + +- name: Install dependencies to build from sources + apt: + name: ['make', 'gcc', 'automake', 'autoconf', 'libtool', 'tar', 'libssl-dev', 'g++'] + state: present + when: wazuh_manager_sources_installation.enabled + +- name: Debian/Ubuntu | Install wazuh-manager + apt: + name: + - "wazuh-manager={{ wazuh_manager_version }}-*" + state: present + tags: init + when: + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + +- include_tasks: "installation_from_sources.yml" + when: + - wazuh_manager_sources_installation.enabled + +- include_tasks: "installation_from_custom_packages.yml" + when: + - wazuh_custom_packages_installation_manager_enabled diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml new file mode 100644 index 0000000..b873b02 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/RedHat.yml @@ -0,0 +1,144 @@ +--- +- name: RedHat/CentOS 5 | Install Wazuh repo + yum_repository: + name: wazuh_repo + description: Wazuh repository + baseurl: "{{ wazuh_manager_config.repo.yum }}5/" + gpgkey: "{{ wazuh_manager_config.repo.gpg }}-5" + gpgcheck: true + changed_when: false + when: + - (ansible_os_family|lower == 'redhat') and (ansible_distribution|lower != 'amazon') + - (ansible_distribution_major_version|int <= 5) + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + register: repo_v5_manager_installed + +- name: RedHat/CentOS/Fedora | Install Wazuh repo + yum_repository: + name: wazuh_repo + description: Wazuh repository + baseurl: "{{ wazuh_manager_config.repo.yum }}" + gpgkey: "{{ wazuh_manager_config.repo.gpg }}" + gpgcheck: true + changed_when: false + when: + - repo_v5_manager_installed is skipped + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + +- name: RedHat/CentOS/Fedora | Install openscap + package: name={{ item }} state=present + with_items: + - openscap-scanner + register: wazuh_manager_openscp_packages_installed + until: wazuh_manager_openscp_packages_installed is succeeded + tags: + - init + when: not (ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA") and + not (ansible_distribution == "CentOS" and ansible_distribution_major_version == "8") + +- name: CentOS 6 | Install Software Collections (SCL) Repository + package: name=centos-release-scl state=present + register: wazuh_manager_scl_packages_installed + until: wazuh_manager_scl_packages_installed is succeeded + when: + - ansible_distribution == 'CentOS' and ansible_distribution_major_version == '6' + - wazuh_manager_config.cluster.disable != 'yes' + +- name: RedHat 6 | Enabling Red Hat Software Collections (RHSCL) + command: yum-config-manager --enable {{ item }} + with_items: + - rhui-REGION-rhel-server-rhscl + - rhel-server-rhscl-6-rpms + when: + - ansible_distribution == 'RedHat' and ansible_distribution_major_version == '6' + - wazuh_manager_config.cluster.disable != 'yes' + +- name: CentOS/RedHat 6 | Install Python 2.7 + package: name=python27 state=present + register: wazuh_manager_python_package_installed + until: wazuh_manager_python_package_installed is succeeded + when: + - ( ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' ) and ansible_distribution_major_version == '6' + - wazuh_manager_config.cluster.disable != 'yes' + +- name: RedHat/CentOS/Fedora | Install OpenJDK 1.8 + yum: name=java-1.8.0-openjdk state=present + when: + - wazuh_manager_config.cis_cat.disable == 'no' + - wazuh_manager_config.cis_cat.install_java == 'yes' + tags: + - init + +- name: Set Distribution CIS filename for RHEL5/CentOS-5 + set_fact: + cis_distribution_filename: cis_rhel5_linux_rcl.txt + when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '5' + +- name: Set Distribution CIS filename for RHEL6/CentOS-6 + set_fact: + cis_distribution_filename: cis_rhel6_linux_rcl.txt + when: ansible_os_family == "RedHat" and ansible_distribution_major_version == '6' + +- name: Set Distribution CIS filename for RHEL7/CentOS-7 + set_fact: + cis_distribution_filename: cis_rhel7_linux_rcl.txt + when: + - ansible_os_family == "RedHat" and ansible_distribution_major_version == '7' + +- name: Set Distribution CIS filename for RHEL7/CentOS-7 (Amazon) + set_fact: + cis_distribution_filename: cis_rhel7_linux_rcl.txt + when: + - ansible_distribution == "Amazon" and ansible_distribution_major_version == "NA" + +- name: Install dependencies to build from sources + yum: + name: ['make', 'gcc', 'automake', 'autoconf', 'libtool', 'tar', 'openssl-devel', 'gcc-c++'] + state: present + when: wazuh_manager_sources_installation.enabled + +- name: CentOS/RedHat/Amazon | Install wazuh-manager + package: + name: "wazuh-manager-{{ wazuh_manager_version }}" + state: "{{ wazuh_manager_package_state }}" + register: wazuh_manager_main_packages_installed + until: wazuh_manager_main_packages_installed is succeeded + when: + - ansible_os_family|lower == "redhat" + - not wazuh_manager_sources_installation.enabled + - not wazuh_custom_packages_installation_manager_enabled + tags: + - init + +- include_tasks: "../tasks/installation_from_sources.yml" + when: + - wazuh_manager_sources_installation.enabled + +- include_tasks: "../tasks/installation_from_custom_packages.yml" + when: + - wazuh_custom_packages_installation_manager_enabled + +- name: CentOS/RedHat 6 | Enabling python2.7 and sqlite3 + replace: + path: /etc/init.d/wazuh-manager + regexp: 'echo -n "Starting Wazuh-manager: "' + replace: "echo -n \"Starting Wazuh-manager (EL6): \"; source /opt/rh/python27/enable; export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:{{ wazuh_dir }}/framework/lib" + when: + - ansible_distribution in ['CentOS', 'RedHat', 'Amazon'] and ansible_distribution_major_version|int == 6 + - wazuh_manager_config.cluster.disable != 'yes' + +- name: Install expect (EL5) + package: + name: "{{ item }}" + state: "{{ wazuh_manager_package_state }}" + with_items: + - expect + register: wazuh_manager_main_packages_installed + until: wazuh_manager_main_packages_installed is succeeded + when: + - ansible_os_family|lower == "RedHat" + - ansible_distribution_major_version|int < 6 + tags: + - init diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml b/roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml new file mode 100644 index 0000000..9940c70 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/install_cmake.yml @@ -0,0 +1,40 @@ +--- + +# Vars +# cmake_download_url: http://packages.wazuh.com/utils/cmake/cmake-3.18.3.tar.gz +# cmake_version: 3.18.3 +# + - name: Include CMake install vars + include_vars: install_cmake.yml + + - name: Download CMake sources + get_url: + url: "{{ cmake_download_url }}" + dest: "/tmp/cmake-{{ cmake_version }}.tar.gz" + register: cmake_download + + - name: Unpack CMake + unarchive: + copy: no + dest: /tmp/ + src: "{{ cmake_download.dest }}" + when: cmake_download.changed + register: cmake_unpack + + - name: Configure CMake + command: "./bootstrap" + args: + chdir: "/tmp/cmake-{{ cmake_version }}" + when: cmake_unpack.changed + register: cmake_configure + + - name: Install CMake + shell: make && make install + args: + chdir: "/tmp/cmake-{{ cmake_version }}" + when: cmake_configure.changed + + - name: Delete installation files + file: + state: absent + path: "/tmp/cmake-{{ cmake_version }}" \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml new file mode 100644 index 0000000..e238ad0 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_custom_packages.yml @@ -0,0 +1,31 @@ +--- + - block: + - name: Install Wazuh Manager from .deb packages + apt: + deb: "{{ wazuh_custom_packages_installation_manager_deb_url }}" + state: present + when: + - wazuh_custom_packages_installation_manager_enabled + when: + - ansible_os_family|lower == "debian" + + - block: + - name: Install Wazuh Manager from .rpm packages | yum + yum: + name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}" + state: present + when: + - wazuh_custom_packages_installation_manager_enabled + - not (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") + - not (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + + - name: Install Wazuh Manager from .rpm packages | dnf + dnf: + name: "{{ wazuh_custom_packages_installation_manager_rpm_url }}" + state: present + when: + - wazuh_custom_packages_installation_manager_enabled + - (ansible_distribution|lower == "centos" and ansible_distribution_major_version >= "8") or + (ansible_distribution|lower == "redhat" and ansible_distribution_major_version >= "8") + when: + - ansible_os_family|lower == "redhat" \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml new file mode 100644 index 0000000..74818bc --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/installation_from_sources.yml @@ -0,0 +1,125 @@ +--- +# Wazuh Manager + - name: Check if Wazuh Manager is already installed + stat: + path: "{{ wazuh_dir }}/bin/wazuh-control" + register: wazuh_control_path + + - name: Installing Wazuh Manager from sources + block: + - name: Install dependencies to build Wazuh packages + package: + name: + - make + - gcc + - automake + - autoconf + - libtool + - tar + state: present + + - name: Install CMake + include_tasks: install_cmake.yml + + - name: Removing old files + file: + path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz" + state: absent + + - name: Removing old folders + file: + path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" + state: absent + + - name: Installing policycoreutils-python (RedHat families) + package: + name: + - policycoreutils-python + when: + - ansible_os_family|lower == "redhat" + + - name: Installing policycoreutils-python-utils (Debian families) + package: + name: + - libc6-dev + - curl + - policycoreutils + when: + - ansible_os_family|lower == "debian" + + - name: Remove old repository folder + file: + path: /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }} + state: absent + + - name: Download required packages from github.com/wazuh/wazuh + get_url: + url: "https://github.com/wazuh/wazuh/archive/{{ wazuh_manager_sources_installation.branch }}.tar.gz" + dest: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz" + delegate_to: "{{ inventory_hostname }}" + + - name: Create folder to extract Wazuh branch + file: + path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" + owner: root + group: root + mode: 0644 + state: directory + + # When downloading "v3.11.0" extracted folder name is 3.11.0. + + # Explicitly creating the folder with proper naming and striping first level in .tar.gz file + + - name: Extract downloaded Wazuh branch from Github # Using shell instead of unarchive due to that module not working properlyh with --strip + command: >- + tar -xzvf /tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz + --strip 1 + --directory /tmp/wazuh-{{ wazuh_manager_sources_installation.branch }} + register: wazuh_untar + changed_when: wazuh_untar.rc ==0 + args: + warn: false + + - name: Clean remaining files from others builds + command: "make -C src {{ item }}" + args: + chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/src/" + with_items: + - "clean" + - "clean-deps" + register: clean_result + changed_when: clean_result.rc == 0 + failed_when: false + + - name: Render the "preloaded-vars.conf" file + template: + src: "templates/preloaded_vars_manager.conf.j2" + dest: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}/etc/preloaded-vars.conf" + owner: root + group: root + mode: 0644 + + - name: Executing "install.sh" script to build and install the Wazuh Manager + shell: ./install.sh > /tmp/build_wazuh_manager_log.txt + register: installation_result + changed_when: installation_result == 0 + args: + chdir: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" + environment: + PATH: /usr/local/bin:{{ ansible_env.PATH }} + + - name: Cleanup downloaded files + file: + path: "/tmp/{{ wazuh_manager_sources_installation.branch }}.tar.gz" + state: absent + + - name: Cleanup created folders + file: + path: "/tmp/wazuh-{{ wazuh_manager_sources_installation.branch }}" + state: absent + + when: + - not wazuh_control_path.stat.exists + - wazuh_manager_sources_installation.enabled + tags: + - manager diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/main.yml b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml new file mode 100644 index 0000000..3e3e9a0 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/main.yml @@ -0,0 +1,339 @@ +--- + +- name: "Install dependencies" + package: + name: + - unzip + - openssl + - tar + - curl + state: present + register: package_status + until: "package_status is not failed" + retries: 10 + delay: 10 + +- include_vars: ../../vars/repo_vars.yml + +- include_vars: ../../vars/repo.yml + when: packages_repository == 'production' + +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' + +- name: Overlay wazuh_manager_config on top of defaults + set_fact: + wazuh_manager_config: '{{ wazuh_manager_config_defaults | combine(config_layer, recursive=True) }}' + vars: + config_layer: '{{ wazuh_manager_config | default({}) }}' + when: wazuh_manager_config_overlay | bool + +- include_tasks: "RedHat.yml" + when: (ansible_os_family == "RedHat" and ansible_distribution_major_version|int > 5) or (ansible_os_family == "RedHat" and ansible_distribution == "Amazon") + +- include_tasks: "Debian.yml" + when: ansible_os_family == "Debian" + +- name: Install expect + package: + name: expect + state: "{{ wazuh_manager_package_state }}" + when: + - not (ansible_os_family|lower == "redhat" and ansible_distribution_major_version|int < 6) and + not (ansible_distribution|lower == "centos" and ansible_distribution_major_version|int == 8) + tags: init + +- name: Generate SSL files for authd + command: "openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:1825 -keyout sslmanager.key -out sslmanager.cert -subj /CN={{ wazuh_manager_fqdn }}/" + args: + creates: sslmanager.cert + chdir: "{{ wazuh_dir }}/etc/" + tags: + - config + when: wazuh_manager_config.authd.ssl_agent_ca is not none + +- name: Copy CA, SSL key and cert for authd + copy: + src: "{{ item }}" + dest: "{{ wazuh_dir }}/etc/{{ item }}" + mode: 0644 + with_items: + - "{{ wazuh_manager_config.authd.ssl_agent_ca }}" + - "{{ wazuh_manager_config.authd.ssl_manager_cert }}" + - "{{ wazuh_manager_config.authd.ssl_manager_key }}" + tags: + - config + when: wazuh_manager_config.authd.ssl_agent_ca is not none + +- name: Verifying for old init authd service + stat: path=/etc/init.d/ossec-authd + register: old_authd_service + tags: + - config + +- name: Verifying for old systemd authd service + stat: path=/lib/systemd/system/ossec-authd.service + register: old_authd_service + tags: + - config + +- name: Ensure ossec-authd service is disabled + service: name=ossec-authd enabled=no state=stopped + when: old_authd_service.stat.exists + tags: + - config + +- name: Removing old init authd services + file: path="{{ item }}" state=absent + with_items: + - "/etc/init.d/ossec-authd" + - "/lib/systemd/system/ossec-authd.service" + when: old_authd_service.stat.exists + tags: + - config + +- name: Installing the local_rules.xml (default local_rules.xml) + template: src=var-ossec-rules-local_rules.xml.j2 + dest="{{ wazuh_dir }}/etc/rules/local_rules.xml" + owner=wazuh + group=wazuh + mode=0640 + notify: restart wazuh-manager + tags: + - init + - config + - rules + +- name: Adding local rules files + copy: src="{{ wazuh_manager_config.ruleset.rules_path }}" + dest="{{ wazuh_dir }}/etc/rules/" + owner=wazuh + group=wazuh + mode=0640 + notify: restart wazuh-manager + tags: + - init + - config + - rules + +- name: Installing the local_decoder.xml + template: src=var-ossec-rules-local_decoder.xml.j2 + dest="{{ wazuh_dir }}/etc/decoders/local_decoder.xml" + owner=wazuh + group=wazuh + mode=0640 + notify: restart wazuh-manager + tags: + - init + - config + - rules + +- name: Adding local decoders files + copy: src="{{ wazuh_manager_config.ruleset.decoders_path }}" + dest="{{ wazuh_dir }}/etc/decoders/" + owner=wazuh + group=wazuh + mode=0640 + notify: restart wazuh-manager + tags: + - init + - config + - rules + +- name: Configure the shared-agent.conf + template: + src: var-ossec-etc-shared-agent.conf.j2 + dest: "{{ wazuh_dir }}/etc/shared/default/agent.conf" + owner: wazuh + group: wazuh + mode: 0640 + validate: "{{ wazuh_dir }}/bin/verify-agent-conf -f %s" + notify: restart wazuh-manager + tags: + - init + - config + when: + - shared_agent_config is defined + +- name: Installing the local_internal_options.conf + template: src=var-ossec-etc-local-internal-options.conf.j2 + dest="{{ wazuh_dir }}/etc/local_internal_options.conf" + owner=root + group=wazuh + mode=0640 + notify: restart wazuh-manager + tags: + - init + - config + +- name: Retrieving Agentless Credentials + include_vars: agentless_creds.yml + tags: + - config + +- name: Retrieving authd Credentials + include_vars: authd_pass.yml + tags: + - config + +- name: Check if syslog output is enabled + set_fact: syslog_output=true + when: item.server is not none + with_items: + - "{{ wazuh_manager_config.syslog_outputs }}" + tags: + - config + +- name: Check if client-syslog is enabled + shell: | + set -o pipefail + "grep -c 'ossec-csyslogd' {{ wazuh_dir }}/bin/.process_list | xargs echo" + args: + removes: "{{ wazuh_dir }}/bin/.process_list" + executable: /bin/bash + changed_when: false + check_mode: false + register: csyslog_enabled + tags: + - config + +- name: Enable client-syslog + command: "{{ wazuh_dir }}/bin/wazuh-control enable client-syslog" + notify: restart wazuh-manager + when: + - csyslog_enabled.stdout == '0' or "skipped" in csyslog_enabled.stdout + - syslog_output is defined and syslog_output + tags: + - config + +- name: Check if ossec-agentlessd is enabled + shell: | + set -o pipefail + "grep -c 'ossec-agentlessd' {{ wazuh_dir }}/bin/.process_list | xargs echo" + args: + removes: "{{ wazuh_dir }}/bin/.process_list" + executable: /bin/bash + changed_when: false + check_mode: false + register: agentlessd_enabled + tags: + - config + +- name: Enable ossec-agentlessd + command: "{{ wazuh_dir }}/bin/wazuh-control enable agentless" + notify: restart wazuh-manager + when: + - agentlessd_enabled.stdout == '0' or "skipped" in agentlessd_enabled.stdout + - agentless_creds is defined + tags: + - config + +- name: Checking alert log output settings + fail: msg="Please enable json_output or alerts_log options." + when: + - wazuh_manager_config.json_output == 'no' + - wazuh_manager_config.alerts_log == 'no' + tags: + - init + - config + +- name: Configure ossec.conf + template: + src: var-ossec-etc-ossec-server.conf.j2 + dest: "{{ wazuh_dir }}/etc/ossec.conf" + owner: root + group: wazuh + mode: 0644 + notify: restart wazuh-manager + tags: + - init + - config + +- name: Ossec-authd password + template: + src: authd_pass.j2 + dest: "{{ wazuh_dir }}/etc/authd.pass" + owner: wazuh + group: wazuh + mode: 0640 + no_log: true + notify: restart wazuh-manager + when: + - wazuh_manager_config.authd.use_password is defined + - wazuh_manager_config.authd.use_password == 'yes' + tags: + - config + +- name: Create custom API user + block: + - name: Copy create_user script + copy: + src: create_user.py + dest: "{{ wazuh_dir }}/framework/scripts/create_user.py" + owner: root + group: wazuh + mode: 0644 + + - name: Create admin.json + template: + src: templates/admin.json.j2 + dest: "{{ wazuh_dir }}/api/configuration/admin.json" + owner: wazuh + group: wazuh + mode: 0644 + no_log: true + + - name: Execute create_user script + script: + chdir: "{{ wazuh_dir }}/framework/scripts/" + cmd: create_user.py --username "{{ item.username }}" --password "{{ item.password }}" + executable: "{{ wazuh_dir }}/framework/python/bin/python3" + with_items: + - "{{ wazuh_api_users }}" + + tags: + - config_api_users + when: + - wazuh_api_users is defined + - wazuh_manager_config.cluster.node_type == "master" + +- name: Agentless Hosts & Passwd + template: + src: agentless.j2 + dest: "{{ wazuh_dir }}/agentless/.passlist_tmp" + owner: root + group: root + mode: 0644 + no_log: true + when: agentless_creds is defined + tags: + - config + +- name: Encode the secret + shell: "/usr/bin/base64 {{ wazuh_dir }}/agentless/.passlist_tmp > {{ wazuh_dir }}/agentless/.passlist && rm {{ wazuh_dir }}/agentless/.passlist_tmp" + when: agentless_creds is defined + tags: + - config + +- name: Ensure Wazuh Manager service is started and enabled. + service: + name: "wazuh-manager" + enabled: true + state: started + tags: + - config + +- name: Create agent groups + command: "{{ wazuh_dir }}/bin/agent_groups -a -g {{ item }} -q" + with_items: + - "{{ agent_groups }}" + when: + - ( agent_groups is defined) and ( agent_groups|length > 0) + tags: molecule-idempotence-notest + +- name: Run uninstall tasks + include_tasks: uninstall.yml + when: not wazuh_manager_sources_installation.enabled diff --git a/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml b/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml new file mode 100644 index 0000000..824e692 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/tasks/uninstall.yml @@ -0,0 +1,15 @@ +--- + +- name: Debian/Ubuntu | Remove Wazuh repository. + apt_repository: + repo: "{{ wazuh_manager_config.repo.apt }}" + state: absent + changed_when: false + when: ansible_os_family == "Debian" + +- name: RedHat/CentOS/Fedora | Remove Wazuh repository (and clean up left-over metadata) + yum_repository: + name: wazuh_repo + state: absent + changed_when: false + when: ansible_os_family == "RedHat" or ansible_os_family == "Amazon" diff --git a/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 b/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 new file mode 100644 index 0000000..6522f53 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/admin.json.j2 @@ -0,0 +1,4 @@ + +{% for api in wazuh_api_users %} +{"username":"{{ api['username'] }}", "password": "{{ api['password'] }}"} +{% endfor %} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/templates/agentless.j2 b/roles/wazuh/ansible-wazuh-manager/templates/agentless.j2 new file mode 100644 index 0000000..99b2090 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/agentless.j2 @@ -0,0 +1,3 @@ +{% for agentless in agentless_creds %} +{{ agentless.host }}|{{ agentless.passwd }} +{% endfor %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 b/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 new file mode 100644 index 0000000..97a481f --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/authd_pass.j2 @@ -0,0 +1 @@ +{{ authd_pass }} \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2 b/roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2 new file mode 100644 index 0000000..37774b9 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/cdb_lists.j2 @@ -0,0 +1 @@ +{{ item.content }} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_manager.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_manager.conf.j2 new file mode 100644 index 0000000..3dacef9 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/preloaded_vars_manager.conf.j2 @@ -0,0 +1,7 @@ +{% for key, value in wazuh_manager_sources_installation.items() %} +{% if "user_" in key %} +{% if value is defined and value is not none %} +{{ key|upper }}="{{ value }}" +{% endif %} +{% endif %} +{% endfor %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2 new file mode 100644 index 0000000..5718f80 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-local-internal-options.conf.j2 @@ -0,0 +1,12 @@ +# local_internal_options.conf +# +# This file should be handled with care. It contains +# run time modifications that can affect the use +# of OSSEC. Only change it if you know what you +# are doing. Look first at ossec.conf +# for most of the things you want to change. +# +# This file will not be overwritten during upgrades. + +# This is the template of Ansible for the file local_internal_options.conf +# In this file you could include the configuration settings for your manager diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 new file mode 100644 index 0000000..c83dd4f --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-ossec-server.conf.j2 @@ -0,0 +1,690 @@ +#jinja2: lstrip_blocks: True + + + + + {{ wazuh_manager_config.json_output }} + {{ wazuh_manager_config.alerts_log }} + {{ wazuh_manager_config.logall }} + {{ wazuh_manager_config.logall_json }} + {{ wazuh_manager_config.email_notification }} + {% for to in wazuh_manager_config.mail_to %} + {{ to }} + {% endfor %} + {{ wazuh_manager_config.mail_smtp_server }} + {{ wazuh_manager_config.mail_from }} + {{ wazuh_manager_config.mail_maxperhour }} + {{ wazuh_manager_config.email_log_source }} + {{ wazuh_manager_config.agents_disconnection_time }} + {{ wazuh_manager_config.agents_disconnection_alert_time }} + + + + {{ wazuh_manager_config.log_level }} + {{ wazuh_manager_config.email_level }} + + + + + {{ wazuh_manager_config.log_format }} + + +{% if wazuh_manager_config.extra_emails is defined %} +{% for mail in wazuh_manager_config.extra_emails %} +{% if mail.enable == true %} + + {{ mail.mail_to }} + {% if mail.format is not none %} + {{ mail.format }} + {% endif %} + {% if mail.level is not none %} + {{ mail.level }} + {% endif %} + {% if mail.event_location is not none %} + {{ mail.event_location }} + {% endif %} + {% if mail.group is not none %} + {{ mail.group }} + {% endif %} + {% if mail.do_not_delay is not none and mail.do_not_delay == true %} + + {% endif %} + {% if mail.do_not_group is not none and mail.do_not_group == true %} + + {% endif %} + {% if mail.rule_id is not none %} + {{ mail.rule_id }} + {% endif %} + +{% endif %} +{% endfor %} +{% endif %} + + + +{% for connection in wazuh_manager_config.connection %} + + {{ connection.type }} + {% if connection.port is defined %} + {{ connection.port }} + {% endif %} + {% if connection.protocol is defined %} + {{ connection.protocol }} + {% endif %} + {% if connection.allowed_ips is defined %} + {% for allowed_ip in connection.allowed_ips %} + {{ allowed_ip }} + {% endfor %} + {% endif %} + {% if connection.denied_ips is defined %} + {% for denied_ip in connection.denied_ips %} + {{ denied_ip }} + {% endfor %} + {% endif %} + {% if connection.local_ip is defined %} + {{ connection.local_ip }} + {% endif %} + {% if connection.ipv6 is defined %} + {{ connection.ipv6 }} + {% endif %} + {% if connection.queue_size is defined %} + {{connection.queue_size}} + {% endif %} + +{% endfor %} + +{% if wazuh_manager_config.reports is defined %} +{% for report in wazuh_manager_config.reports %} +{% if report.enable == true %} + + {{ report.category }} + {{ report.title }} + {{ report.email_to }} + {% if report.location is not none %}{{ report.location }}{% endif %} + {% if report.group is not none %}{{ report.group }}{% endif %} + {% if report.rule is not none %}{{ report.rule }}{% endif %} + {% if report.level is not none %}{{ report.level }}{% endif %} + {% if report.srcip is not none %}{{ report.srcip }}{% endif %} + {% if report.user is not none %}{{ report.user }}{% endif %} + {% if report.showlogs is not none %}{{ report.showlogs }}{% endif %} + +{% endif %} +{% endfor %} +{% endif %} + + + + no + yes + yes + yes + yes + yes + yes + yes + + + {{ wazuh_manager_config.rootcheck.frequency }} + + {{ wazuh_dir }}/etc/rootcheck/rootkit_files.txt + {{ wazuh_dir }}/etc/rootcheck/rootkit_trojans.txt + + yes + + + {% if ansible_system == "Linux" and wazuh_manager_config.openscap.disable == 'no' %} + + no + {{ wazuh_manager_config.openscap.timeout }} + {{ wazuh_manager_config.openscap.interval }} + {{ wazuh_manager_config.openscap.scan_on_start }} + {% if ansible_distribution == 'Ubuntu' and ansible_distribution_release == 'xenial' %} + + xccdf_org.ssgproject.content_profile_common + + {% elif ansible_distribution == 'Debian' %} + {% if ansible_distribution_release == 'jessie' %} + {% if openscap_version_valid.stdout == "0" %} + + xccdf_org.ssgproject.content_profile_common + + + {% endif %} + {% elif ansible_distribution_release == 'stretch' %} + + {% endif %} + {% elif ansible_distribution == 'CentOS' %} + {% if ansible_distribution_major_version == '8' %} + {# Policy not available #} + {% elif ansible_distribution_major_version == '7' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% elif ansible_distribution_major_version == '6' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% endif %} + {% elif ansible_distribution == 'RedHat' %} + {% if ansible_distribution_major_version == '8' %} + {# Policy not available #} + {% elif ansible_distribution_major_version == '7' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% elif ansible_distribution_major_version == '6' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% endif %} + {% if ansible_distribution_major_version == '7' %} + + {% elif ansible_distribution_major_version == '6' %} + + {% endif %} + {% elif ansible_distribution == 'Fedora' %} + + xccdf_org.ssgproject.content_profile_pci-dss + xccdf_org.ssgproject.content_profile_common + + {% endif %} + + {% endif %} + + + {{ wazuh_manager_config.cis_cat.disable}} + {{ wazuh_manager_config.cis_cat.timeout }} + {{ wazuh_manager_config.cis_cat.interval }} + {{ wazuh_manager_config.cis_cat.scan_on_start }} + {% if wazuh_manager_config.cis_cat.install_java == 'yes' %} + wodles/java + {% else %} + {{ wazuh_manager_config.cis_cat.java_path }} + {% endif %} + {{ wazuh_manager_config.cis_cat.ciscat_path }} + + + + + {{ wazuh_manager_config.osquery.disable }} + {{ wazuh_manager_config.osquery.run_daemon }} + {{ wazuh_manager_config.osquery.log_path }} + {{ wazuh_manager_config.osquery.config_path }} + {{ wazuh_manager_config.osquery.ad_labels }} + + + + + {{ wazuh_manager_config.syscollector.disable }} + {{ wazuh_manager_config.syscollector.interval }} + {{ wazuh_manager_config.syscollector.scan_on_start }} + {{ wazuh_manager_config.syscollector.hardware }} + {{ wazuh_manager_config.syscollector.os }} + {{ wazuh_manager_config.syscollector.network }} + {{ wazuh_manager_config.syscollector.packages }} + {{ wazuh_manager_config.syscollector.ports_no }} + {{ wazuh_manager_config.syscollector.processes }} + + + + {% if wazuh_manager_config.sca.enabled | length > 0 %} + {{ wazuh_manager_config.sca.enabled }} + {% endif %} + {% if wazuh_manager_config.sca.scan_on_start | length > 0 %} + {{ wazuh_manager_config.sca.scan_on_start }} + {% endif %} + {% if wazuh_manager_config.sca.interval | length > 0 %} + {{ wazuh_manager_config.sca.interval }} + {% endif %} + {% if wazuh_manager_config.sca.skip_nfs | length > 0 %} + yes + {% endif %} + {% if wazuh_manager_config.sca.day | length > 0 %} + {{ wazuh_manager_config.sca.day }} + {% endif %} + {% if wazuh_manager_config.sca.wday | length > 0 %} + {{ wazuh_manager_config.sca.wday }} + {% endif %} + {% if wazuh_manager_config.sca.time | length > 0 %} + + {% endif %} + + + + {% if wazuh_manager_config.vulnerability_detector.enabled is defined %} + {{ wazuh_manager_config.vulnerability_detector.enabled }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.interval is defined %} + {{ wazuh_manager_config.vulnerability_detector.interval }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.min_full_scan_interval is defined %} + {{ wazuh_manager_config.vulnerability_detector.min_full_scan_interval }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.run_on_start is defined %} + {{ wazuh_manager_config.vulnerability_detector.run_on_start }} + {% endif %} + {% if wazuh_manager_config.vulnerability_detector.providers is defined %} + {% for provider_ in wazuh_manager_config.vulnerability_detector.providers %} + + {% if provider_.enabled is defined %} + {{ provider_.enabled }} + {% endif %} + {% if provider_.os is defined %} + {% for os_ in provider_.os %} + {{ os_ }} + {% endfor %} + {% endif %} + {% if provider_.update_interval is defined %} + {{ provider_.update_interval }} + {% endif %} + + {% endfor %} + {% endif %} + + + + + {{ wazuh_manager_config.syscheck.disable }} + {{ wazuh_manager_config.syscheck.frequency }} + {{ wazuh_manager_config.syscheck.scan_on_start }} + + + {% if wazuh_manager_config.syscheck.auto_ignore_frequency is defined %} + {{wazuh_manager_config.syscheck.auto_ignore_frequency.value }} + {% endif %} + + + {% if wazuh_manager_config.syscheck.directories is defined %} + {% for directory in wazuh_manager_config.syscheck.directories %} + {{ directory.dirs }} + {% endfor %} + {% endif %} + + + {% if wazuh_manager_config.syscheck.ignore is defined %} + {% for ignore in wazuh_manager_config.syscheck.ignore %} + {{ ignore }} + {% endfor %} + {% endif %} + + + {% if wazuh_manager_config.syscheck.ignore_linux_type is defined %} + {% for ignore in wazuh_manager_config.syscheck.ignore_linux_type %} + {{ ignore }} + {% endfor %} + {% endif %} + + + + {% for no_diff in wazuh_manager_config.syscheck.no_diff %} + {{ no_diff }} + {% endfor %} + {% if wazuh_manager_config.syscheck.skip_nfs is defined %} + {{ wazuh_manager_config.syscheck.skip_nfs }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_dev is defined %} + {{ wazuh_manager_config.syscheck.skip_dev }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_proc is defined %} + {{ wazuh_manager_config.syscheck.skip_proc }} + {% endif %} + {% if wazuh_manager_config.syscheck.skip_sys is defined %} + {{ wazuh_manager_config.syscheck.skip_sys }} + {% endif %} + + + {{ wazuh_manager_config.syscheck.process_priority }} + + + {{ wazuh_manager_config.syscheck.max_eps }} + + + + {{ wazuh_manager_config.syscheck.sync_enabled }} + {{ wazuh_manager_config.syscheck.sync_interval }} + {{ wazuh_manager_config.syscheck.sync_max_interval }} + {{ wazuh_manager_config.syscheck.sync_max_eps }} + + + + +{% for white_list in wazuh_manager_config.globals %} + {{ white_list }} +{% endfor %} + + +{% for command in wazuh_manager_config.commands %} + + + {{ command.name }} + {{ command.executable }} + {% if command.timeout_allowed is defined %} + {{ command.timeout_allowed }} + {% endif %} + +{% endfor %} + +{% if agentless_creds is defined %} +{% for agentless in agentless_creds %} + + {{ agentless.type }} + {{ agentless.frequency }} + {{ agentless.host }} + {{ agentless.state }} + {% if agentless.arguments is defined %} + {{ agentless.arguments }} + {% endif %} + +{% endfor %} +{% endif -%} + +{% if wazuh_manager_config.active_responses is defined %} + {% for response in wazuh_manager_config.active_responses %} + + {% if response.disabled is defined %}{{ response.disabled }}{% else %}no{% endif %} + {%if response.command is defined %}{{ response.command }}{% endif %} + {%if response.location is defined %}{{ response.location }}{% endif %} + {%if response.agent_id is defined %}{{ response.agent_id }}{% endif %} + {%if response.level is defined %}{{ response.level }}{% endif %} + {%if response.rules_group is defined %}{{ response.rules_group }}{% endif %} + {%if response.rules_id is defined %}{{ response.rules_id }}{% endif %} + {%if response.timeout is defined %}{{ response.timeout }}{% endif %} + {%if response.repeated_offenders is defined %}{{ response.repeated_offenders }}{% endif %} + + {% endfor %} +{% endif -%} + + +{% for localfile in wazuh_manager_config.localfiles.common %} + + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% if localfile.frequency is defined %} + {{ localfile.frequency }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'eventchannel' %} + {% if localfile.only_future_events is defined %} + {{ localfile.only_future_events }} + {% endif %} + {% if localfile.query is defined %} + {{ localfile.query }} + {% endif %} + {% endif %} + {% endif %} + {% if localfile.format == 'json' and localfile.labels is defined %} + {% for key, value in localfile.labels.items() %} + + {% endfor %} + {% endif %} + {% if localfile.target is defined %} + {{ localfile.target }} + {% endif %} + {% if localfile.out_format is defined %} + {{ localfile.out_format }} + {% endif %} + +{% endfor %} + +{% if ansible_os_family == "Debian" %} +{% for localfile in wazuh_manager_config.localfiles.debian %} + + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% if localfile.frequency is defined %} + {{ localfile.frequency }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'eventchannel' %} + {% if localfile.only_future_events is defined %} + {{ localfile.only_future_events }} + {% endif %} + {% if localfile.query is defined %} + {{ localfile.query }} + {% endif %} + {% endif %} + {% endif %} + {% if localfile.format == 'json' and localfile.labels is defined %} + {% for key, value in localfile.labels.items() %} + + {% endfor %} + {% endif %} + {% if localfile.target is defined %} + {{ localfile.target }} + {% endif %} + {% if localfile.out_format is defined %} + {{ localfile.out_format }} + {% endif %} + +{% endfor %} +{% endif -%} + +{% if ansible_os_family == "RedHat" %} +{% for localfile in wazuh_manager_config.localfiles.centos %} + + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% if localfile.frequency is defined %} + {{ localfile.frequency }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'eventchannel' %} + {% if localfile.only_future_events is defined %} + {{ localfile.only_future_events }} + {% endif %} + {% if localfile.query is defined %} + {{ localfile.query }} + {% endif %} + {% endif %} + {% endif %} + {% if localfile.format == 'json' and localfile.labels is defined %} + {% for key, value in localfile.labels.items() %} + + {% endfor %} + {% endif %} + {% if localfile.target is defined %} + {{ localfile.target }} + {% endif %} + {% if localfile.out_format is defined %} + {{ localfile.out_format }} + {% endif %} + +{% endfor %} +{% endif -%} + +{% if wazuh_manager_config.syslog_outputs is defined %} +{% for syslog_output in wazuh_manager_config.syslog_outputs %} +{% if syslog_output.server is not none %} + + {{ syslog_output.server }} + {{ syslog_output.port }} + {{ syslog_output.format }} + +{% endif %} +{% endfor %} +{% endif %} + +{% if wazuh_manager_config.integrations is defined %} +{% for integration in wazuh_manager_config.integrations %} +{% if integration.name is not none %} + + + {{ integration.name }} + {% if integration.hook_url is defined %} + {{ integration.hook_url }} + {% endif %} + {% if integration.api_key is defined %} + {{ integration.api_key }} + {% endif %} + {% if integration.alert_format is defined %} + {{ integration.alert_format }} + {% endif %} + {% if integration.alert_level is defined %} + {{ integration.alert_level }} + {% endif %} + {% if integration.rule_id is defined %} + {{ integration.rule_id }} + {% endif %} + +{% endif %} +{% endfor %} +{% endif %} + +{% if monitor_aws is defined and monitor_aws.disabled == "no" %} + + + {{ monitor_aws.disabled }} + {{ monitor_aws.interval }} + {{ monitor_aws.run_on_start }} + {{ monitor_aws.skip_on_error }} + {% for bucket in monitor_aws.s3 %} + + {{ bucket.name }} + {% if bucket.path is defined %} + {{ bucket.path }} + {% endif %} + {% if bucket.only_logs_after is defined %} + {{ bucket.only_logs_after }} + {% endif %} + {{ bucket.access_key }} + {{ bucket.secret_key }} + + {% endfor %} + +{% endif %} + +{% if wazuh_manager_config.labels.enable == true %} + + {% for label in wazuh_manager_config.labels.list %} + + {% endfor %} + +{% endif %} + + + + + ruleset/decoders + ruleset/rules + {% if wazuh_manager_config.rule_exclude is defined %} + {% for rule in wazuh_manager_config.rule_exclude %} + {{ rule }} + {% endfor %} + {% endif %} + {% if wazuh_manager_config.ruleset.cdb_lists is defined %} + {% for list in wazuh_manager_config.ruleset.cdb_lists %} + etc/lists/{{ list }} + {% endfor %} + {% endif %} + + + etc/decoders + etc/rules + + +{% if wazuh_manager_config.authd.enable == true %} + + no + {% if wazuh_manager_config.authd.port is not none %} + {{wazuh_manager_config.authd.port}} + {% else %} + 1515 + {% endif %} + {% if wazuh_manager_config.authd.use_source_ip is not none %} + {{wazuh_manager_config.authd.use_source_ip}} + {% endif %} + + {% if wazuh_manager_config.authd.force.enabled is not none %} + {{wazuh_manager_config.authd.force.enabled}} + {% else %} + yes + {% endif %} + {% if wazuh_manager_config.authd.force.key_mismatch is not none %} + {{wazuh_manager_config.authd.force.key_mismatch}} + {% else %} + yes + {% endif %} + {% if wazuh_manager_config.authd.force.disconnected_time is not none %} + {{wazuh_manager_config.authd.force.disconnected_time}} + {% else %} + 1h + {% endif %} + {% if wazuh_manager_config.authd.force.after_registration_time is not none %} + {{wazuh_manager_config.authd.force.after_registration_time}} + {% else %} + 1h + {% endif %} + + {% if wazuh_manager_config.authd.purge is not none %} + {{wazuh_manager_config.authd.purge}} + {% endif %} + {% if wazuh_manager_config.authd.use_password is not none %} + {{wazuh_manager_config.authd.use_password}} + {% endif %} + {% if wazuh_manager_config.authd.ciphers is not none %} + {{wazuh_manager_config.authd.ciphers}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_agent_ca is not none %} + {{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_agent_ca | basename}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_verify_host is not none %} + {{wazuh_manager_config.authd.ssl_verify_host}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_manager_cert is not none %} + {{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_manager_cert | basename}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_manager_key is not none %} + {{ wazuh_dir }}/etc/{{wazuh_manager_config.authd.ssl_manager_key | basename}} + {% endif %} + {% if wazuh_manager_config.authd.ssl_auto_negotiate is not none %} + {{wazuh_manager_config.authd.ssl_auto_negotiate}} + {% endif %} + +{% endif %} + + + {{ wazuh_manager_config.cluster.disable }} + {{ wazuh_manager_config.cluster.name }} + {{ wazuh_manager_config.cluster.node_name }} + {{ wazuh_manager_config.cluster.node_type }} + {{ wazuh_manager_config.cluster.key }} + {% if wazuh_manager_config.cluster.interval is defined %} + {{ wazuh_manager_config.cluster.interval }} + {% endif %} + {{ wazuh_manager_config.cluster.port }} + {{ wazuh_manager_config.cluster.bind_addr }} + + {% for node in wazuh_manager_config.cluster.nodes %} + {{ node }} + {% endfor %} + + {{ wazuh_manager_config.cluster.hidden }} + + + diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 new file mode 100644 index 0000000..7af5e3f --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-etc-shared-agent.conf.j2 @@ -0,0 +1,106 @@ +#jinja2: trim_blocks: False +{% if shared_agent_config is defined %} +{% for agent_config in shared_agent_config %} + + {% if agent_config.syscheck is defined %} + + {% if agent_config.syscheck.auto_ignore is defined %} + {{ agent_config.syscheck.auto_ignore }} + {% endif %} + {{ agent_config.syscheck.frequency }} + {{ agent_config.syscheck.scan_on_start }} + + + {% if agent_config.syscheck.directories is defined %} + {% for directory in agent_config.syscheck.directories %} + {{ directory.dirs }} + {% endfor %} + {% endif %} + + + {% if agent_config.syscheck.ignore is defined %} + {% for ignore in agent_config.syscheck.ignore %} + {{ ignore }} + {% endfor %} + {% endif %} + + + {% if agent_config.syscheck.no_diff is defined %} + {% for no_diff in agent_config.syscheck.no_diff %} + {{ no_diff }} + {% endfor %} + {% endif %} + + {% if agent_config.syscheck.windows_registry is defined %} + {% for registry_key in agent_config.syscheck.windows_registry %} + {% if registry_key.arch is defined %} + {{ registry_key.key }} + {% else %} + {{ registry_key.key }} + {% endif %} + {% endfor %} + {% endif %} + + {% endif %} + + {% if agent_config.localfiles is defined %} + {% for localfile in agent_config.localfiles %} + + {{ localfile.format }} + {% if localfile.format == 'command' or localfile.format == 'full_command' %} + {{ localfile.command }} + {% if localfile.alias is defined %} + {{ localfile.alias }} + {% endif %} + {% if localfile.frequency is defined %} + {{ localfile.frequency }} + {% endif %} + {% else %} + {{ localfile.location }} + {% if localfile.format == 'eventchannel' %} + {% if localfile.only_future_events is defined %} + {{ localfile.only_future_events }} + {% endif %} + {% if localfile.query is defined %} + {{ localfile.query }} + {% endif %} + {% endif %} + {% endif %} + {% if localfile.format == 'json' and localfile.labels is defined %} + {% for item in localfile.labels %} + + {% endfor %} + {% endif %} + {% if localfile.target is defined %} + {{ localfile.target }} + {% endif %} + {% if localfile.out_format is defined %} + {{ localfile.out_format }} + {% endif %} + + {% endfor %} + {% endif %} + + {% if agent_config.rootcheck is defined %} + + no + yes + yes + yes + yes + yes + yes + yes + + + {{ agent_config.rootcheck.frequency }} + + {% if agent_config.rootcheck.cis_distribution_filename is not none %} + {{ wazuh_dir }}/etc/shared/default/{{ agent_config.rootcheck.cis_distribution_filename }} + {% endif %} + yes + + {% endif %} + +{% endfor %} +{% endif %} diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2 new file mode 100644 index 0000000..653167f --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_decoder.xml.j2 @@ -0,0 +1,25 @@ + + + + + + + + local_decoder_example + diff --git a/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 new file mode 100644 index 0000000..987d75a --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/templates/var-ossec-rules-local_rules.xml.j2 @@ -0,0 +1,19 @@ + + + + + + + + + + + 5716 + 1.1.1.1 + sshd: authentication failed from IP 1.1.1.1. + authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, + + + \ No newline at end of file diff --git a/roles/wazuh/ansible-wazuh-manager/vars/agentless_creds.yml b/roles/wazuh/ansible-wazuh-manager/vars/agentless_creds.yml new file mode 100644 index 0000000..2704fee --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/vars/agentless_creds.yml @@ -0,0 +1,8 @@ +--- +# agentless_creds: +# - type: ssh_integrity_check_linux +# frequency: 3600 +# host: root@example.net +# state: periodic +# arguments: '/bin /etc/ /sbin' +# passwd: qwerty diff --git a/roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml b/roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml new file mode 100644 index 0000000..b23855a --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/vars/authd_pass.yml @@ -0,0 +1,2 @@ +--- +# authd_pass: foobar diff --git a/roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml b/roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml new file mode 100644 index 0000000..cda00c6 --- /dev/null +++ b/roles/wazuh/ansible-wazuh-manager/vars/install_cmake.yml @@ -0,0 +1,4 @@ +# Install cmake vars + +cmake_version: 3.18.3 +cmake_download_url: "http://packages.wazuh.com/utils/cmake/cmake-{{ cmake_version }}.tar.gz" \ No newline at end of file diff --git a/roles/wazuh/check-packages/defaults/main.yml b/roles/wazuh/check-packages/defaults/main.yml new file mode 100644 index 0000000..b7019f7 --- /dev/null +++ b/roles/wazuh/check-packages/defaults/main.yml @@ -0,0 +1,2 @@ +--- +wazuh_version: 4.7.2 diff --git a/roles/wazuh/check-packages/files/packages_uri.txt b/roles/wazuh/check-packages/files/packages_uri.txt new file mode 100644 index 0000000..bd59e00 --- /dev/null +++ b/roles/wazuh/check-packages/files/packages_uri.txt @@ -0,0 +1,6 @@ +yum/wazuh-manager-VERSION-1.x86_64.rpm +apt/pool/main/w/wazuh-manager/wazuh-manager_VERSION-1_amd64.deb +yum/wazuh-dashboard-VERSION-1.x86_64.rpm +yum/wazuh-indexer-VERSION-1.x86_64.rpm +apt/pool/main/w/wazuh-agent/wazuh-agent_VERSION-1_amd64.deb +yum/wazuh-agent-VERSION-1.x86_64.rpm \ No newline at end of file diff --git a/roles/wazuh/check-packages/scripts/check_packages.sh b/roles/wazuh/check-packages/scripts/check_packages.sh new file mode 100755 index 0000000..20c6204 --- /dev/null +++ b/roles/wazuh/check-packages/scripts/check_packages.sh @@ -0,0 +1,80 @@ +#!/bin/bash + +VERSION=$1 +#echo $VERSION +## Replace VERSION with $VERSION in packages_uri.txt and save it as packages_uri_new.txt +sed 's,VERSION,'$VERSION',g' ../files/packages_uri.txt > ../files/packages_uri_new.txt + +checkPackages(){ + ## Set S3 Bucket URL + if [ $1 == "production" ]; then + echo "production" + PACKAGES_URL=https://packages.wazuh.com/4.x/ + elif [ $1 == "pre-release" ]; then + echo "pre-release" + PACKAGES_URL=https://packages-dev.wazuh.com/pre-release/ + elif [ $1 == "staging" ]; then + echo "staging" + PACKAGES_URL=https://packages-dev.wazuh.com/staging/ + CHECK_WIN_PACKAGE=$(grep windows ../files/packages_uri_new.txt) + echo $CHECK_WIN_PACKAGE + if [ -n "$CHECK_WIN_PACKAGE" ]; then + WIN_AGENT_NAME=$(aws s3 ls s3://packages-dev.wazuh.com/staging/windows/wazuh-agent-$VERSION --region=us-west-1 | tail -1 | awk '{printf $4}') + if [ -z $WIN_AGENT_NAME ]; then + echo "Windows agent package for version " $VERSION " does not exist in the staging repository" + exit 1 + fi + WIN_AGENT_URI="windows/"$WIN_AGENT_NAME + echo $PACKAGES_URL$WIN_AGENT_URI "check" + sed -i 's,windows/.*,'$WIN_AGENT_URI',g' ../files/packages_uri_new.txt + sed -i 's,wazuh_winagent_config_url.*,wazuh_winagent_config_url: \"'$PACKAGES_URL$WIN_AGENT_URI'\",g' ../../vars/repo_staging.yml + sed -i 's,wazuh_winagent_package_name.*,wazuh_winagent_package_name: \"'$WIN_AGENT_NAME'\",g' ../../vars/repo_staging.yml + fi + fi + + ## Set EXISTS to 0 (true) + EXISTS=0 + + ## Loop through the packages_uri_new.txt file + while IFS= read -r URI + do + echo "$URI" + ## Check if the package exists + PACKAGE=$(curl --silent -I $PACKAGES_URL$URI | grep -E "^HTTP" | awk '{print $2}') + ## If it does not exist set EXISTS to 1 (false) + if [ "$PACKAGE" != "200" ]; then + EXISTS=1 + #echo $PACKAGES_URL$URI "does not exist" + return $EXISTS + fi + done < ../files/packages_uri_new.txt + + return $EXISTS +} + +replaceVars(){ + sed -i "s|packages_repository:.*|packages_repository: $1|g" ../../vars/repo_vars.yml + +} + +## Call the checkPackages function for each repository +if checkPackages "production"; then + echo "production" + replaceVars "production" + exit 0 +elif checkPackages "pre-release"; then + echo "pre-release" + replaceVars "pre-release" + exit 0 +elif checkPackages "production"; then + echo "production" + replaceVars "production" + exit 0 +elif checkPackages "staging"; then + echo "staging" + replaceVars "staging" + exit 0 +else + echo "Failed" + exit 1 +fi \ No newline at end of file diff --git a/roles/wazuh/check-packages/tasks/main.yml b/roles/wazuh/check-packages/tasks/main.yml new file mode 100644 index 0000000..bbee623 --- /dev/null +++ b/roles/wazuh/check-packages/tasks/main.yml @@ -0,0 +1,11 @@ +--- + - name: Check packages + shell: | + ./check_packages.sh {{ wazuh_version }} + args: + warn: false + executable: /bin/bash + chdir: "{{ role_path }}/scripts/" + delegate_to: localhost + become: no + diff --git a/roles/wazuh/vars/repo.yml b/roles/wazuh/vars/repo.yml new file mode 100644 index 0000000..4da3bf7 --- /dev/null +++ b/roles/wazuh/vars/repo.yml @@ -0,0 +1,14 @@ +wazuh_repo: + apt: 'deb https://packages.wazuh.com/4.x/apt/ stable main' + yum: 'https://packages.wazuh.com/4.x/yum/' + gpg: 'https://packages.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: "https://packages.wazuh.com/4.x/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_sha512_url: "https://packages.wazuh.com/4.x/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512" +filebeat_module_package_url: https://packages.wazuh.com/4.x/filebeat + +certs_gen_tool_version: 4.7 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" \ No newline at end of file diff --git a/roles/wazuh/vars/repo_pre-release.yml b/roles/wazuh/vars/repo_pre-release.yml new file mode 100644 index 0000000..8d54624 --- /dev/null +++ b/roles/wazuh/vars/repo_pre-release.yml @@ -0,0 +1,14 @@ +wazuh_repo: + apt: 'deb https://packages-dev.wazuh.com/pre-release/apt/ unstable main' + yum: 'https://packages-dev.wazuh.com/pre-release/yum/' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: "https://packages-dev.wazuh.com/pre-release/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_sha512_url: "https://packages-dev.wazuh.com/pre-release/checksums/wazuh/{{ wazuh_agent_version }}/wazuh-agent-{{ wazuh_agent_version }}-1.msi.sha512" +filebeat_module_package_url: https://packages-dev.wazuh.com/pre-release/filebeat + +certs_gen_tool_version: 4.7 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" \ No newline at end of file diff --git a/roles/wazuh/vars/repo_staging.yml b/roles/wazuh/vars/repo_staging.yml new file mode 100644 index 0000000..24b8b7b --- /dev/null +++ b/roles/wazuh/vars/repo_staging.yml @@ -0,0 +1,12 @@ +wazuh_repo: + apt: 'deb https://packages-dev.wazuh.com/staging/apt/ unstable main' + yum: 'https://packages-dev.wazuh.com/staging/yum/' + gpg: 'https://packages-dev.wazuh.com/key/GPG-KEY-WAZUH' + key_id: '0DCFCA5547B19D2A6099506096B3EE5F29111145' +wazuh_winagent_config_url: "https://packages-dev.wazuh.com/staging/windows/wazuh-agent-{{ wazuh_agent_version }}-1.msi" +wazuh_winagent_package_name: "wazuh-agent-{{ wazuh_agent_version }}-1.msi" + +certs_gen_tool_version: 4.7 + +# Url of certificates generator tool +certs_gen_tool_url: "https://packages-dev.wazuh.com/{{ certs_gen_tool_version }}/wazuh-certs-tool.sh" \ No newline at end of file diff --git a/roles/wazuh/vars/repo_vars.yml b/roles/wazuh/vars/repo_vars.yml new file mode 100644 index 0000000..5315776 --- /dev/null +++ b/roles/wazuh/vars/repo_vars.yml @@ -0,0 +1 @@ +packages_repository: production \ No newline at end of file diff --git a/roles/wazuh/wazuh-dashboard/defaults/main.yml b/roles/wazuh/wazuh-dashboard/defaults/main.yml new file mode 100644 index 0000000..33c158b --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/defaults/main.yml @@ -0,0 +1,31 @@ +--- + +# Dashboard configuration +indexer_http_port: 9200 +indexer_api_protocol: https +dashboard_conf_path: /etc/wazuh-dashboard/ +dashboard_node_name: node-1 +dashboard_server_host: "0.0.0.0" +dashboard_server_port: "443" +dashboard_server_name: "dashboard" +wazuh_version: 4.7.2 +indexer_cluster_nodes: + - 127.0.0.1 + +# The Wazuh dashboard package repository +dashboard_version: "4.7.2" + +# API credentials +wazuh_api_credentials: + - id: "default" + url: "https://localhost" + port: 55000 + username: "wazuh" + password: "wazuh" + +# Dashboard Security +dashboard_security: true +indexer_admin_password: changeme +dashboard_user: kibanaserver +dashboard_password: changeme +local_certs_path: "{{ playbook_dir }}/indexer/certificates" diff --git a/roles/wazuh/wazuh-dashboard/handlers/main.yml b/roles/wazuh/wazuh-dashboard/handlers/main.yml new file mode 100644 index 0000000..45f7193 --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart wazuh-dashboard + service: name=wazuh-dashboard state=restarted diff --git a/roles/wazuh/wazuh-dashboard/tasks/Debian.yml b/roles/wazuh/wazuh-dashboard/tasks/Debian.yml new file mode 100644 index 0000000..7525a10 --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/tasks/Debian.yml @@ -0,0 +1,24 @@ +--- +- block: + + - include_vars: debian.yml + - name: Add apt repository signing key + apt_key: + url: "{{ wazuh_repo.gpg }}" + state: present + + - name: Debian systems | Add Wazuh dashboard repo + apt_repository: + repo: "{{ wazuh_repo.apt }}" + state: present + update_cache: yes + + - name: Install Wazuh dashboard + apt: + name: "wazuh-dashboard={{ dashboard_version }}-*" + state: present + update_cache: yes + register: install + + tags: + - install \ No newline at end of file diff --git a/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml new file mode 100644 index 0000000..b34970e --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: Remove Wazuh dashboard repository (and clean up left-over metadata) + yum_repository: + name: wazuh_repo + state: absent + changed_when: false diff --git a/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml b/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml new file mode 100644 index 0000000..39900d4 --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/tasks/RedHat.yml @@ -0,0 +1,21 @@ +--- +- block: + + - name: RedHat/CentOS/Fedora | Add Wazuh dashboard repo + yum_repository: + file: wazuh + name: wazuh_repo + description: Wazuh yum repository + baseurl: "{{ wazuh_repo.yum }}" + gpgkey: "{{ wazuh_repo.gpg }}" + gpgcheck: true + + - name: Install Wazuh dashboard + package: + name: "wazuh-dashboard-{{ dashboard_version }}" + state: present + update_cache: yes + register: install + + tags: + - install diff --git a/roles/wazuh/wazuh-dashboard/tasks/main.yml b/roles/wazuh/wazuh-dashboard/tasks/main.yml new file mode 100755 index 0000000..3f3fa66 --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/tasks/main.yml @@ -0,0 +1,99 @@ +--- +- include_vars: ../../vars/repo_vars.yml + +- include_vars: ../../vars/repo.yml + when: packages_repository == 'production' + +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' + +- import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + +- import_tasks: Debian.yml + when: ansible_os_family == 'Debian' + +- name: Remove Dashboard configuration file + file: + # noqa 503 + path: "{{ dashboard_conf_path }}/opensearch_dashboards.yml" + state: absent + tags: install + +- import_tasks: security_actions.yml + +- name: Copy Configuration File + template: + src: "templates/opensearch_dashboards.yml.j2" + dest: "{{ dashboard_conf_path }}/opensearch_dashboards.yml" + group: wazuh-dashboard + owner: wazuh-dashboard + mode: 0640 + force: yes + notify: restart wazuh-dashboard + tags: + - install + - configure + +- name: Ensuring Wazuh dashboard directory owner + file: + # noqa 208 + path: "/usr/share/wazuh-dashboard" + state: directory + owner: wazuh-dashboard + group: wazuh-dashboard + recurse: yes + +- name: Wait for Wazuh-Indexer port + wait_for: host={{ indexer_network_host }} port={{ indexer_http_port }} + +- name: Select correct API protocol + set_fact: + indexer_api_protocol: "{% if dashboard_security is defined and dashboard_security %}https{% else %}http{% endif %}" + +- name: Attempting to delete legacy Wazuh index if exists + uri: + url: "{{ indexer_api_protocol }}://{{ indexer_network_host }}:{{ indexer_http_port }}/.wazuh" + method: DELETE + user: "admin" + password: "{{ indexer_admin_password }}" + validate_certs: no + status_code: 200, 404 + +- name: Create Wazuh Plugin config directory + file: + path: /usr/share/wazuh-dashboard/data/wazuh/config/ + state: directory + recurse: yes + owner: wazuh-dashboard + group: wazuh-dashboard + mode: 0751 + changed_when: False + +- name: Configure Wazuh Dashboard Plugin + template: + src: wazuh.yml.j2 + dest: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml + owner: wazuh-dashboard + group: wazuh-dashboard + mode: 0751 + changed_when: False + +- name: Configure opensearch.password in opensearch_dashboards.keystore + shell: >- + echo '{{ dashboard_password }}' | /usr/share/wazuh-dashboard/bin/opensearch-dashboards-keystore --allow-root add -f --stdin opensearch.password + args: + executable: /bin/bash + become: yes + +- name: Ensure Wazuh dashboard started and enabled + service: + name: wazuh-dashboard + enabled: true + state: started + +- import_tasks: RMRedHat.yml + when: ansible_os_family == 'RedHat' diff --git a/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml b/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml new file mode 100644 index 0000000..06b3e2b --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/tasks/security_actions.yml @@ -0,0 +1,23 @@ +- block: + + - name: Ensure Dashboard certificates directory permissions. + file: + path: "/etc/wazuh-dashboard/certs/" + state: directory + owner: wazuh-dashboard + group: wazuh-dashboard + mode: 500 + + - name: Copy the certificates from local to the Wazuh dashboard instance + copy: + src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}" + dest: /etc/wazuh-dashboard/certs/ + owner: wazuh-dashboard + group: wazuh-dashboard + mode: 0400 + with_items: + - "root-ca.pem" + - "{{ dashboard_node_name }}-key.pem" + - "{{ dashboard_node_name }}.pem" + tags: + - security diff --git a/roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 b/roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 new file mode 100644 index 0000000..75ee61f --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/templates/opensearch_dashboards.yml.j2 @@ -0,0 +1,15 @@ +server.host: {{ dashboard_server_host }} +server.port: {{ dashboard_server_port }} +opensearch.hosts: +{% for item in indexer_cluster_nodes %} + - https://{{ item }}:{{ indexer_http_port }} +{% endfor %} +opensearch.ssl.verificationMode: certificate +opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] +opensearch_security.multitenancy.enabled: false +opensearch_security.readonly_mode.roles: ["kibana_read_only"] +server.ssl.enabled: true +server.ssl.key: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}-key.pem" +server.ssl.certificate: "/etc/wazuh-dashboard/certs/{{ dashboard_node_name }}.pem" +opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"] +uiSettings.overrides.defaultRoute: /app/wazuh diff --git a/roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 b/roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 new file mode 100644 index 0000000..5755a36 --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/templates/wazuh.yml.j2 @@ -0,0 +1,134 @@ +--- +# +# Wazuh app - App configuration file +# Copyright (C) 2016, Wazuh Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Find more information about this on the LICENSE file. +# +# ======================== Wazuh app configuration file ======================== +# +# Please check the documentation for more information on configuration options: +# https://documentation.wazuh.com/current/installation-guide/index.html +# +# Also, you can check our repository: +# https://github.com/wazuh/wazuh-dashboard-plugins +# +# ------------------------------- Index patterns ------------------------------- +# +# Default index pattern to use. +#pattern: wazuh-alerts-4.x-* +# +# ----------------------------------- Checks ----------------------------------- +# +# Defines which checks must to be consider by the healthcheck +# step once the Wazuh app starts. Values must to be true or false. +#checks.pattern : true +#checks.template: true +#checks.api : true +#checks.setup : true +# +# --------------------------------- Extensions --------------------------------- +# +# Defines which extensions should be activated when you add a new API entry. +# You can change them after Wazuh app starts. +# Values must to be true or false. +#extensions.pci : true +#extensions.gdpr : true +#extensions.hipaa : true +#extensions.nist : true +#extensions.audit : true +#extensions.oscap : false +#extensions.ciscat : false +#extensions.aws : false +#extensions.virustotal: false +#extensions.osquery : false +#extensions.docker : false +# +# ---------------------------------- Time out ---------------------------------- +# +# Defines maximum timeout to be used on the Wazuh app requests. +# It will be ignored if it is bellow 1500. +# It means milliseconds before we consider a request as failed. +# Default: 20000 +#timeout: 20000 +# +# ------------------------------ Advanced indices ------------------------------ +# +# Configure .wazuh indices shards and replicas. +#wazuh.shards : 1 +#wazuh.replicas : 0 +# +# --------------------------- Index pattern selector --------------------------- +# +# Defines if the user is allowed to change the selected +# index pattern directly from the Wazuh app top menu. +# Default: true +#ip.selector: true +# +# List of index patterns to be ignored +#ip.ignore: [] +# +# -------------------------------- X-Pack RBAC --------------------------------- +# +# Custom setting to enable/disable built-in X-Pack RBAC security capabilities. +# Default: enabled +#xpack.rbac.enabled: true +# +# ------------------------------ wazuh-monitoring ------------------------------ +# +# Custom setting to enable/disable wazuh-monitoring indices. +# Values: true, false, worker +# If worker is given as value, the app will show the Agents status +# visualization but won't insert data on wazuh-monitoring indices. +# Default: true +#wazuh.monitoring.enabled: true +# +# Custom setting to set the frequency for wazuh-monitoring indices cron task. +# Default: 900 (s) +#wazuh.monitoring.frequency: 900 +# +# Configure wazuh-monitoring-4.x-* indices shards and replicas. +#wazuh.monitoring.shards: 2 +#wazuh.monitoring.replicas: 0 +# +# Configure wazuh-monitoring-4.x-* indices custom creation interval. +# Values: h (hourly), d (daily), w (weekly), m (monthly) +# Default: d +#wazuh.monitoring.creation: d +# +# Default index pattern to use for Wazuh monitoring +#wazuh.monitoring.pattern: wazuh-monitoring-4.x-* +# +# +# ------------------------------- App privileges -------------------------------- +#admin: true +# +# ------------------------------- App logging level ----------------------------- +# Set the logging level for the Wazuh App log files. +# Default value: info +# Allowed values: info, debug +#logs.level: info +# +#-------------------------------- API entries ----------------------------------- +#The following configuration is the default structure to define an API entry. +# +#hosts: +# - : +# url: http(s):// +# port: +# user: +# password: + +hosts: +{% for api in wazuh_api_credentials %} + - {{ api['id'] }}: + url: {{ api['url'] }} + port: {{ api['port'] }} + username: {{ api['username'] }} + password: "{{ api['password'] }}" +{% endfor %} diff --git a/roles/wazuh/wazuh-dashboard/vars/debian.yml b/roles/wazuh/wazuh-dashboard/vars/debian.yml new file mode 100644 index 0000000..a49cfc9 --- /dev/null +++ b/roles/wazuh/wazuh-dashboard/vars/debian.yml @@ -0,0 +1,2 @@ +--- +dashboard_version: 4.7.2 diff --git a/roles/wazuh/wazuh-indexer/defaults/main.yml b/roles/wazuh/wazuh-indexer/defaults/main.yml new file mode 100644 index 0000000..6a0201e --- /dev/null +++ b/roles/wazuh/wazuh-indexer/defaults/main.yml @@ -0,0 +1,50 @@ +--- +# Cluster Settings +indexer_version: 4.7.2 + +single_node: false +indexer_node_name: node-1 +indexer_cluster_name: wazuh +indexer_network_host: '0.0.0.0' + +indexer_node_master: true +indexer_node_data: true +indexer_node_ingest: true +indexer_start_timeout: 90 + +indexer_cluster_nodes: + - 127.0.0.1 +indexer_discovery_nodes: + - 127.0.0.1 + +local_certs_path: "{{ playbook_dir }}/indexer/certificates" + +# Minimum master nodes in cluster, 2 for 3 nodes Wazuh indexer cluster +minimum_master_nodes: 2 + +# Configure hostnames for Wazuh indexer nodes +# Example es1.example.com, es2.example.com +domain_name: wazuh.com + +indexer_sec_plugin_conf_path: /etc/wazuh-indexer/opensearch-security +indexer_sec_plugin_tools_path: /usr/share/wazuh-indexer/plugins/opensearch-security/tools +indexer_conf_path: /etc/wazuh-indexer +indexer_index_path: /var/lib/wazuh-indexer/ + +# Security password +indexer_custom_user: "" +indexer_custom_user_role: "admin" + +# Set JVM memory limits +indexer_jvm_xms: null + +indexer_http_port: 9200 + +indexer_admin_password: changeme +dashboard_password: changeme + +# Deployment settings +generate_certs: true +perform_installation: true + +indexer_nolog_sensible: true diff --git a/roles/wazuh/wazuh-indexer/handlers/main.yml b/roles/wazuh/wazuh-indexer/handlers/main.yml new file mode 100644 index 0000000..0c463d0 --- /dev/null +++ b/roles/wazuh/wazuh-indexer/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart wazuh-indexer + service: + name: wazuh-indexer + state: restarted diff --git a/roles/wazuh/wazuh-indexer/meta/main.yml b/roles/wazuh/wazuh-indexer/meta/main.yml new file mode 100644 index 0000000..1b9648a --- /dev/null +++ b/roles/wazuh/wazuh-indexer/meta/main.yml @@ -0,0 +1,24 @@ +--- +galaxy_info: + author: Wazuh + description: Installing and maintaining Wazuh indexer. + company: wazuh.com + license: license (GPLv3) + min_ansible_version: 2.0 + platforms: + - name: EL + versions: + - all + - name: Ubuntu + versions: + - all + - name: Debian + versions: + - all + - name: Fedora + versions: + - all + galaxy_tags: + - web + - system + - monitoring diff --git a/roles/wazuh/wazuh-indexer/tasks/Debian.yml b/roles/wazuh/wazuh-indexer/tasks/Debian.yml new file mode 100644 index 0000000..2c2b370 --- /dev/null +++ b/roles/wazuh/wazuh-indexer/tasks/Debian.yml @@ -0,0 +1,38 @@ + +--- + +- name: Update cache + apt: + update_cache: yes + +- name: Debian 9 (Stretch) + when: (ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_major_version'] == "9") + block: + + - name: Install Wazuh indexer dependencies + apt: + name: [ + 'unzip', 'wget', 'curl', 'apt-transport-https', software-properties-common + ] + state: present + +- name: Add Wazuh indexer repository + block: + - name: Add apt repository signing key + apt_key: + url: "{{ wazuh_repo.gpg }}" + state: present + + - name: Add Wazuh indexer repository + apt_repository: + repo: "{{ wazuh_repo.apt }}" + state: present + filename: 'wazuh-indexer' + update_cache: yes + +- name: Install Wazuh indexer + apt: + name: wazuh-indexer={{ indexer_version }}-1 + state: present + register: install + tags: install \ No newline at end of file diff --git a/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml new file mode 100644 index 0000000..d4e7989 --- /dev/null +++ b/roles/wazuh/wazuh-indexer/tasks/RMRedHat.yml @@ -0,0 +1,6 @@ +--- +- name: RedHat/CentOS/Fedora | Remove Wazuh indexer repository (and clean up left-over metadata) + yum_repository: + name: wazuh_repo + state: absent + changed_when: false diff --git a/roles/wazuh/wazuh-indexer/tasks/RedHat.yml b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml new file mode 100644 index 0000000..53a67ab --- /dev/null +++ b/roles/wazuh/wazuh-indexer/tasks/RedHat.yml @@ -0,0 +1,54 @@ +--- +- block: + + - name: RedHat/CentOS/Fedora | Add Wazuh indexer repo + yum_repository: + file: wazuh + name: wazuh_repo + description: Wazuh yum repository + baseurl: "{{ wazuh_repo.yum }}" + gpgkey: "{{ wazuh_repo.gpg }}" + gpgcheck: true + changed_when: false + + + + - name: Amazon Linux | Install Amazon extras + block: + - name: Install Amazon extras + yum: + name: amazon-linux-extras + state: present + + - name: Configure vm.max_map_count + lineinfile: + line: "vm.max_map_count=262144" + dest: "/etc/sysctl.conf" + insertafter: EOF + create: true + become: yes + + - name: Update vm.max_map_count + shell: sysctl -p + become: yes + + when: + - ansible_distribution == 'Amazon' + + - name: RedHat/CentOS/Fedora | Install Indexer dependencies + yum: + name: "{{ packages }}" + vars: + packages: + - wget + - unzip + + - name: Install Wazuh indexer + package: + name: wazuh-indexer-{{ indexer_version }} + state: present + register: install + tags: install + + tags: + - install diff --git a/roles/wazuh/wazuh-indexer/tasks/local_actions.yml b/roles/wazuh/wazuh-indexer/tasks/local_actions.yml new file mode 100644 index 0000000..4a215be --- /dev/null +++ b/roles/wazuh/wazuh-indexer/tasks/local_actions.yml @@ -0,0 +1,48 @@ +--- +- name: Check if certificates already exists + stat: + path: "{{ local_certs_path }}" + register: certificates_folder + delegate_to: localhost + become: no + tags: + - generate-certs + + +- block: + + - name: Local action | Create local temporary directory for certificates generation + file: + path: "{{ local_certs_path }}" + mode: 0755 + state: directory + + - name: Local action | Check that the generation tool exists + stat: + path: "{{ local_certs_path }}/wazuh-certs-tool.sh" + register: tool_package + + - name: Local action | Download certificates generation tool + get_url: + url: "{{ certs_gen_tool_url }}" + dest: "{{ local_certs_path }}/wazuh-certs-tool.sh" + when: not tool_package.stat.exists + + - name: Local action | Prepare the certificates generation template file + template: + src: "templates/config.yml.j2" + dest: "{{ local_certs_path }}/config.yml" + mode: 0644 + register: tlsconfig_template + + - name: Local action | Generate the node & admin certificates in local + command: >- + bash {{ local_certs_path }}/wazuh-certs-tool.sh -A + + run_once: true + delegate_to: localhost + become: no + tags: + - generate-certs + when: + - not certificates_folder.stat.exists diff --git a/roles/wazuh/wazuh-indexer/tasks/main.yml b/roles/wazuh/wazuh-indexer/tasks/main.yml new file mode 100644 index 0000000..48034ae --- /dev/null +++ b/roles/wazuh/wazuh-indexer/tasks/main.yml @@ -0,0 +1,140 @@ +--- +- include_vars: ../../vars/repo_vars.yml + +- include_vars: ../../vars/repo.yml + when: packages_repository == 'production' + +- include_vars: ../../vars/repo_pre-release.yml + when: packages_repository == 'pre-release' + +- include_vars: ../../vars/repo_staging.yml + when: packages_repository == 'staging' + +- import_tasks: local_actions.yml + when: + - generate_certs + +- block: + - import_tasks: RedHat.yml + when: ansible_os_family == 'RedHat' + + - import_tasks: Debian.yml + when: ansible_os_family == 'Debian' + + - name: Remove performance analyzer plugin from Wazuh indexer + become: true + command: ./opensearch-plugin remove opensearch-performance-analyzer + ignore_errors: true + args: + chdir: /usr/share/wazuh-indexer/bin/ + register: remove_opensearch_performance_analyzer + failed_when: + - remove_opensearch_performance_analyzer.rc != 0 + - '"not found" not in remove_opensearch_performance_analyzer.stderr' + changed_when: "remove_opensearch_performance_analyzer.rc == 0" + + - name: Remove Opensearch configuration file + file: + path: "{{ indexer_conf_path }}/opensearch.yml" + state: absent + tags: install + + - name: Copy Opensearch Configuration File + template: + src: "templates/opensearch.yml.j2" + dest: "{{ indexer_conf_path }}/opensearch.yml" + owner: root + group: wazuh-indexer + mode: 0640 + force: yes + tags: install + + - include_tasks: security_actions.yml + tags: + - security + + + - name: Configure Wazuh indexer JVM memmory. + template: + src: "templates/jvm.options.j2" + dest: "{{ indexer_conf_path }}/jvm.options" + owner: root + group: wazuh-indexer + mode: 0644 + force: yes + notify: restart wazuh-indexer + tags: install + + - name: Ensure extra time for Wazuh indexer to start on reboots + lineinfile: + path: /usr/lib/systemd/system/wazuh-indexer.service + regexp: '^TimeoutStartSec=' + line: "TimeoutStartSec={{ indexer_start_timeout }}" + become: yes + tags: configure + + - name: Index files to remove + find: + paths: "{{ indexer_index_path }}" + patterns: "*" + register: files_to_delete + + - name: Remove Index Files + file: + path: "{{ item.path }}" + state: absent + with_items: "{{ files_to_delete.files }}" + + - name: Ensure Wazuh indexer started and enabled + service: + name: wazuh-indexer + enabled: true + state: started + + - name: Wait for Wazuh indexer API + uri: + url: "https://{{ inventory_hostname if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" + user: "admin" # Default Indexer user is always "admin" + password: "{{ indexer_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: + - _result is defined + - '"green" in _result.content or ( "yellow" in _result.content and single_node )' + retries: 24 + delay: 5 + tags: debug + when: + - hostvars[inventory_hostname]['private_ip'] is not defined or not hostvars[inventory_hostname]['private_ip'] + + - name: Wait for Wazuh indexer API (Private IP) + uri: + url: "https://{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}:{{ indexer_http_port }}/_cat/health/" + user: "admin" # Default Indexer user is always "admin" + password: "{{ indexer_admin_password }}" + validate_certs: no + status_code: 200,401 + return_content: yes + timeout: 4 + register: _result + until: + - _result is defined + - '"green" in _result.content or ( "yellow" in _result.content and single_node )' + retries: 24 + delay: 5 + tags: debug + when: + - hostvars[inventory_hostname]['private_ip'] is defined and hostvars[inventory_hostname]['private_ip'] + + - import_tasks: "RMRedHat.yml" + when: ansible_os_family == "RedHat" + + - name: Reload systemd configuration + systemd: + daemon_reload: true + become: yes + notify: restart wazuh-indexer + when: perform_installation diff --git a/roles/wazuh/wazuh-indexer/tasks/security_actions.yml b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml new file mode 100644 index 0000000..26b83fd --- /dev/null +++ b/roles/wazuh/wazuh-indexer/tasks/security_actions.yml @@ -0,0 +1,118 @@ +- name: Configure IP (Private address) + set_fact: + target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else indexer_network_host }}" + when: + - hostvars[inventory_hostname]['private_ip'] is defined + +- name: Configure IP (Public address) + set_fact: + target_address: "{{ inventory_hostname if not single_node else indexer_network_host }}" + when: + - hostvars[inventory_hostname]['private_ip'] is not defined + +- name: Ensure Indexer certificates directory permissions. + file: + path: "{{ indexer_conf_path }}/certs/" + state: directory + owner: wazuh-indexer + group: wazuh-indexer + mode: 500 + +- name: Copy the node & admin certificates to Wazuh indexer cluster + copy: + src: "{{ local_certs_path }}/wazuh-certificates/{{ item }}" + dest: "{{ indexer_conf_path }}/certs/" + owner: wazuh-indexer + group: wazuh-indexer + mode: 0400 + with_items: + - root-ca.pem + - root-ca.key + - "{{ indexer_node_name }}-key.pem" + - "{{ indexer_node_name }}.pem" + - admin-key.pem + - admin.pem + +- name: Restart Wazuh indexer with security configuration + systemd: + name: wazuh-indexer + state: restarted + +- name: Copy the Opensearch security internal users template + template: + src: "templates/internal_users.yml.j2" + dest: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" + mode: 0644 + run_once: true + +- block: + - name: Hashing the custom admin password + shell: | + export JAVA_HOME=/usr/share/wazuh-indexer/jdk + {{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ indexer_admin_password }}' + register: indexer_admin_password_hashed + no_log: '{{ indexer_nolog_sensible | bool }}' + + - name: Set the Admin user password + replace: + path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" + regexp: '(?<=admin:\n hash: )(.*)(?=)' + replace: "{{ indexer_password_hash | quote }}" + vars: + indexer_password_hash: "{{ indexer_admin_password_hashed.stdout_lines | last }}" + + # this can also be achieved with password_hash, but it requires dependencies on the controller + - name: Hash the kibanaserver role/user pasword + shell: | + export JAVA_HOME=/usr/share/wazuh-indexer/jdk + {{ indexer_sec_plugin_tools_path }}/hash.sh -p '{{ dashboard_password }}' + register: indexer_kibanaserver_password_hashed + no_log: '{{ indexer_nolog_sensible | bool }}' + + - name: Set the kibanaserver user password + replace: + path: "{{ indexer_sec_plugin_conf_path }}/internal_users.yml" + regexp: '(?<=kibanaserver:\n hash: )(.*)(?=)' + replace: "{{ indexer_password_hash | quote }}" + vars: + indexer_password_hash: "{{ indexer_kibanaserver_password_hashed.stdout_lines | last }}" + + - name: Initialize the Opensearch security index in Wazuh indexer + command: > + sudo -u wazuh-indexer OPENSEARCH_PATH_CONF={{ indexer_conf_path }} + JAVA_HOME=/usr/share/wazuh-indexer/jdk + {{ indexer_sec_plugin_tools_path }}/securityadmin.sh + -cd {{ indexer_sec_plugin_conf_path }}/ + -icl -p 9200 -cd {{ indexer_sec_plugin_conf_path }}/ + -nhnv + -cacert {{ indexer_conf_path }}/certs/root-ca.pem + -cert {{ indexer_conf_path }}/certs/admin.pem + -key {{ indexer_conf_path }}/certs/admin-key.pem + -h {{ target_address }} + retries: 2 + delay: 5 + register: result + until: result.rc == 0 + run_once: true + + +- name: Create custom user + uri: + url: "https://{{ target_address }}:{{ indexer_http_port }}/_plugins/_security/api/internalusers/{{ indexer_custom_user }}" + method: PUT + user: "admin" # Default Indexer user is always "admin" + password: "{{ indexer_admin_password }}" + body: | + { + "password": "{{ indexer_admin_password }}", + "backend_roles": ["{{ indexer_custom_user_role }}"] + } + body_format: json + validate_certs: no + status_code: 200,201,401 + return_content: yes + timeout: 4 + when: + - indexer_custom_user is defined and indexer_custom_user + + diff --git a/roles/wazuh/wazuh-indexer/templates/config.yml.j2 b/roles/wazuh/wazuh-indexer/templates/config.yml.j2 new file mode 100644 index 0000000..dd565d0 --- /dev/null +++ b/roles/wazuh/wazuh-indexer/templates/config.yml.j2 @@ -0,0 +1,33 @@ +nodes: + # Indexer server nodes + indexer: +{% for (key,value) in instances.items() %} +{% if (value.role is defined and value.role == 'indexer') %} + - name: {{ value.name }} + ip: {{ value.ip }} +{% endif %} +{% endfor %} + + # Wazuh server nodes + # Use node_type only with more than one Wazuh manager + server: +{% for (key,value) in instances.items() %} +{% if (value.role is defined and value.role == 'wazuh') %} + - name: {{ value.name }} + ip: {{ value.ip }} +{% endif %} +{% if (value.node_type is defined and value.node_type == 'master') %} + node_type: master +{% elif (value.node_type is defined and value.node_type == 'worker') %} + node_type: worker +{% endif %} +{% endfor %} + + # Dashboard node + dashboard: +{% for (key,value) in instances.items() %} +{% if (value.role is defined and value.role == 'dashboard') %} + - name: {{ value.name }} + ip: {{ value.ip }} +{% endif %} +{% endfor %} diff --git a/roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 b/roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 new file mode 100644 index 0000000..ccfefab --- /dev/null +++ b/roles/wazuh/wazuh-indexer/templates/disabledlog4j.options.j2 @@ -0,0 +1,4 @@ +## JVM configuration + +## Disable log4j +-Dlog4j2.formatMsgNoLookups=true \ No newline at end of file diff --git a/roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 b/roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 new file mode 100644 index 0000000..e00ebe0 --- /dev/null +++ b/roles/wazuh/wazuh-indexer/templates/internal_users.yml.j2 @@ -0,0 +1,21 @@ +--- +# This is the internal user database +# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh + +_meta: + type: "internalusers" + config_version: 2 + +# Define your internal users here + +admin: + hash: "{{ indexer_admin_password }}" + reserved: true + backend_roles: + - "admin" + description: "admin user" + +kibanaserver: + hash: "{{ dashboard_password }}" + reserved: true + description: "kibanaserver user" diff --git a/roles/wazuh/wazuh-indexer/templates/jvm.options.j2 b/roles/wazuh/wazuh-indexer/templates/jvm.options.j2 new file mode 100644 index 0000000..74c0105 --- /dev/null +++ b/roles/wazuh/wazuh-indexer/templates/jvm.options.j2 @@ -0,0 +1,94 @@ +## JVM configuration + +################################################################ +## IMPORTANT: JVM heap size +################################################################ +## +## You should always set the min and max JVM heap +## size to the same value. For example, to set +## the heap to 4 GB, set: +## +## -Xms4g +## -Xmx4g +## +## +################################################################ + +# Xms represents the initial size of total heap space +# Xmx represents the maximum size of total heap space + +{% if indexer_jvm_xms is not none %} +{% if indexer_jvm_xms < 32000 %} +-Xms{{ indexer_jvm_xms }}m + +-Xmx{{ indexer_jvm_xms }}m +{% else %} +-Xms32000m + +-Xmx32000m +{% endif %} +{% else %} +-Xms{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} + +-Xmx{% if ansible_memtotal_mb < 64000 %}{{ ((ansible_memtotal_mb|int)/2)|int }}m{% else %}32000m{% endif %} +{% endif %} + + +################################################################ +## Expert settings +################################################################ +## +## All settings below this section are considered +## expert settings. Don't tamper with them unless +## you understand what you are doing +## +################################################################ + +## GC configuration +8-13:-XX:+UseConcMarkSweepGC +8-13:-XX:CMSInitiatingOccupancyFraction=75 +8-13:-XX:+UseCMSInitiatingOccupancyOnly + +## G1GC Configuration +# NOTE: G1 GC is only supported on JDK version 10 or later +# to use G1GC, uncomment the next two lines and update the version on the +# following three lines to your version of the JDK +# 10-13:-XX:-UseConcMarkSweepGC +# 10-13:-XX:-UseCMSInitiatingOccupancyOnly +14-:-XX:+UseG1GC +14-:-XX:G1ReservePercent=25 +14-:-XX:InitiatingHeapOccupancyPercent=30 + +## JVM temporary directory +-Djava.io.tmpdir=${OPENSEARCH_TMPDIR} + +## heap dumps + +# generate a heap dump when an allocation from the Java heap fails +# heap dumps are created in the working directory of the JVM +-XX:+HeapDumpOnOutOfMemoryError + +# specify an alternative path for heap dumps; ensure the directory exists and +# has sufficient space +-XX:HeapDumpPath=data + +# specify an alternative path for JVM fatal error logs +-XX:ErrorFile=/var/log/wazuh-indexer/hs_err_pid%p.log + +## JDK 8 GC logging +8:-XX:+PrintGCDetails +8:-XX:+PrintGCDateStamps +8:-XX:+PrintTenuringDistribution +8:-XX:+PrintGCApplicationStoppedTime +8:-Xloggc:/var/log/wazuh-indexer/gc.log +8:-XX:+UseGCLogFileRotation +8:-XX:NumberOfGCLogFiles=32 +8:-XX:GCLogFileSize=64m + +# JDK 9+ GC logging +9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/wazuh-indexer/gc.log:utctime,pid,tags:filecount=32,filesize=64m + +## Opensearch Performance Analyzer +-Dclk.tck=100 +-Djdk.attach.allowAttachSelf=true +-Djava.security.policy=file:///usr/share/wazuh-indexer/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy diff --git a/roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 b/roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 new file mode 100644 index 0000000..0bcf2e3 --- /dev/null +++ b/roles/wazuh/wazuh-indexer/templates/opensearch.yml.j2 @@ -0,0 +1,59 @@ +network.host: {{ indexer_network_host }} +node.name: {{ indexer_node_name }} +{% if single_node == true %} +discovery.type: single-node +{% else %} +cluster.initial_master_nodes: +{% for item in indexer_cluster_nodes %} + - {{ item }} +{% endfor %} + +discovery.seed_hosts: +{% for item in indexer_discovery_nodes %} + - {{ item }} +{% endfor %} +{% endif %} + +cluster.name: {{ indexer_cluster_name }} + +http.port: 9200-9299 +transport.tcp.port: 9300-9399 +node.max_local_storage_nodes: "3" +path.data: /var/lib/wazuh-indexer +path.logs: /var/log/wazuh-indexer + + +############################################################################### +# # +# WARNING: Demo certificates set up in this file. # +# Please change on production cluster! # +# # +############################################################################### + +plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}.pem +plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}-key.pem +plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem +plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}.pem +plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/{{ indexer_node_name }}-key.pem +plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem +plugins.security.ssl.http.enabled: true +plugins.security.ssl.transport.enforce_hostname_verification: false +plugins.security.ssl.transport.resolve_hostname: false + +plugins.security.authcz.admin_dn: +- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" +plugins.security.check_snapshot_restore_write_privileges: true +plugins.security.enable_snapshot_restore_privilege: true +plugins.security.nodes_dn: +{% for (key,value) in instances.items() %} +- "CN={{ value.name }},OU=Wazuh,O=Wazuh,L=California,C=US" +{% endfor %} +plugins.security.restapi.roles_enabled: +- "all_access" +- "security_rest_api_access" + +plugins.security.system_indices.enabled: true +plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"] + +### Option to allow Filebeat-oss 7.10.2 to work ### +compatibility.override_main_response_version: true diff --git a/roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 b/roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 new file mode 100644 index 0000000..67ab547 --- /dev/null +++ b/roles/wazuh/wazuh-indexer/templates/tlsconfig.yml.j2 @@ -0,0 +1,47 @@ +ca: + root: + dn: CN=root.ca.{{ domain_name }},OU=CA,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + keysize: 2048 + validityDays: 730 + pkPassword: none + file: root-ca.pem + +### Default values and global settings +defaults: + validityDays: 730 + pkPassword: none + # Set this to true in order to generate config and certificates for + # the HTTP interface of nodes + httpsEnabled: true + reuseTransportCertificatesForHttp: false + verifyHostnames: false + resolveHostnames: false + +### +### Nodes +### +# +# Specify the nodes of your ES cluster here +# +nodes: +{% for (key,value) in instances.items() %} +{% if (value.ip is defined and value.ip | length > 0) %} + - name: {{ value.name }} + dn: CN={{ value.name }}.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + dns: {{ value.name }}.{{ domain_name }} + ip: {{ value.ip }} +{% endif %} +{% endfor %} +### +### Clients +### +# +# Specify the clients that shall access your ES cluster with certificate authentication here +# +# At least one client must be an admin user (i.e., a super-user). Admin users can +# be specified with the attribute admin: true +# +clients: + - name: admin + dn: CN=admin.{{ domain_name }},OU=Ops,O={{ domain_name }}\, Inc.,DC={{ domain_name }} + admin: true